US20240080669A1 - Man-in-the-middle detection method and apparatus - Google Patents
Man-in-the-middle detection method and apparatus Download PDFInfo
- Publication number
- US20240080669A1 US20240080669A1 US18/308,072 US202318308072A US2024080669A1 US 20240080669 A1 US20240080669 A1 US 20240080669A1 US 202318308072 A US202318308072 A US 202318308072A US 2024080669 A1 US2024080669 A1 US 2024080669A1
- Authority
- US
- United States
- Prior art keywords
- physical frame
- base station
- frame
- communication apparatus
- rrc message
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 77
- 238000000034 method Methods 0.000 claims abstract description 141
- 238000004891 communication Methods 0.000 claims abstract description 124
- 230000004044 response Effects 0.000 claims description 84
- 230000015654 memory Effects 0.000 claims description 48
- 238000004590 computer program Methods 0.000 claims description 20
- 230000007246 mechanism Effects 0.000 abstract description 8
- 238000012545 processing Methods 0.000 description 64
- 230000006870 function Effects 0.000 description 47
- 238000010586 diagram Methods 0.000 description 22
- 230000008569 process Effects 0.000 description 17
- 238000007726 management method Methods 0.000 description 15
- 230000005540 biological transmission Effects 0.000 description 9
- 238000005516 engineering process Methods 0.000 description 8
- 238000013461 design Methods 0.000 description 5
- 230000003993 interaction Effects 0.000 description 5
- 238000005259 measurement Methods 0.000 description 4
- 230000001360 synchronised effect Effects 0.000 description 4
- 239000013256 coordination polymer Substances 0.000 description 3
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 230000002776 aggregation Effects 0.000 description 2
- 238000004220 aggregation Methods 0.000 description 2
- 230000003190 augmentative effect Effects 0.000 description 2
- 239000000284 extract Substances 0.000 description 2
- 230000000977 initiatory effect Effects 0.000 description 2
- 230000007774 longterm Effects 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 230000003449 preventive effect Effects 0.000 description 2
- 239000004065 semiconductor Substances 0.000 description 2
- 230000011664 signaling Effects 0.000 description 2
- 230000003068 static effect Effects 0.000 description 2
- 238000001356 surgical procedure Methods 0.000 description 2
- 238000013475 authorization Methods 0.000 description 1
- 238000004422 calculation algorithm Methods 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 230000001413 cellular effect Effects 0.000 description 1
- 238000006243 chemical reaction Methods 0.000 description 1
- 239000003795 chemical substances by application Substances 0.000 description 1
- 125000004122 cyclic group Chemical group 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 239000011521 glass Substances 0.000 description 1
- 239000011159 matrix material Substances 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000000737 periodic effect Effects 0.000 description 1
- 230000000717 retained effect Effects 0.000 description 1
- 239000004984 smart glass Substances 0.000 description 1
- 238000001228 spectrum Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/12—Detection or prevention of fraud
- H04W12/121—Wireless intrusion detection systems [WIDS]; Wireless intrusion prevention systems [WIPS]
- H04W12/122—Counter-measures against attacks; Protection against rogue devices
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1466—Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/10—Integrity
- H04W12/106—Packet or message integrity
Definitions
- radio resource control radio resource control
- UE user equipment
- RRC radio resource control
- a man-in-the-middle is a type of false base station, including a false base station part function and a false UE part function.
- the UE In response to UE being in an idle state, in response to the UE approaching a false base station, and detects that signal quality of a cell of the false base station is good and meets a cell reselection condition, the UE triggers a cell reselection process and camps on the cell of the false base station.
- the UE In response to UE being in a connected state, in response to the UE approaching a false base station, and detects that signal quality of a cell of the false base station is good, the UE reports a measurement result to a serving cell.
- the serving cell triggers handover of the UE to the cell of the false base station, to enable the UE to camp on the cell of the false base station.
- the false UE part function is used to forward or modify communication data of real UE, access a real base station as the real UE, and communicate with an access and mobility management function (access and mobility management function, AMF) based on an N2 protocol.
- AMF access and mobility management function
- a current method for discovering a man-in-the-middle is usually as follows: A hash HASH value of a received master information block (master information block, MIB)/system information block (system information block, SIB) is calculated by UE, and the hash value of the MIB/SIB is carried in a measurement report (measurement report, MR)/logged MR to be reported to a real base station.
- the real base station calculates a hash value of the MIB/SIB and compares the hash value with the value reported by the UE; and in response to the two values being inconsistent, determines that a man-in-the-middle exists.
- the method is unable to be used to detect the man-in-the-middle.
- Some embodiments provide a man-in-the-middle detection method and apparatus, to effectively improve an air interface man-in-the-middle detection rate and prevent a man-in-the-middle from bypassing a detection mechanism through technical means.
- a man-in-the-middle detection method includes: A base station receives, in a first physical frame, a first radio resource control RRC message from user equipment UE; the base station receives a second RRC message from the UE, where the second RRC message includes frame information of a second physical frame, and security protection is performed on the first RRC message and the second RRC message by using an access stratum AS security context established by the UE and the base station; and the base station determines whether the first physical frame matches the second physical frame.
- the frame information of the second physical frame includes a frame number and a subframe number of the second physical frame.
- the base station determines whether the first physical frame matches the second physical frame includes: In response to a frame number of the first physical frame being the same as the frame number of the second physical frame and a subframe number of the first physical frame is the same as the subframe number of the second physical frame, the base station determines that the first physical frame matches the second physical frame; otherwise, the base station determines that the first physical frame does not match the second physical frame.
- the method further includes: The base station stores frame information of the first physical frame.
- the method before that a base station receives, in a first physical frame, a first radio resource control RRC message from UE, the method further includes: The base station establishes the AS security context with the UE.
- the method before that a base station receives, in a first physical frame, a first RRC message from UE, the method further includes: The base station sends indication information to the UE, where the indication information indicates the UE to enable man-in-the-middle detection.
- a man-in-the-middle detection method includes: User equipment UE sends, in a second physical frame, a first radio resource control RRC message to a base station; and the UE sends a second RRC message to the base station, where the second RRC message includes frame information of the second physical frame, and security protection is performed on the first RRC message and the second RRC message by using an access stratum AS security context established by the UE and the base station.
- the frame information of the second physical frame includes a frame number and a subframe number of the second physical frame.
- the method before that user equipment UE sends, in a second physical frame, a first radio resource control RRC message to a base station, the method further includes: The UE receives downlink control information DCI, where the DCI is used to determine the frame information of the second physical frame; and the UE stores the frame information of the second physical frame.
- the method before that user equipment UE sends, in a second physical frame, a first radio resource control RRC message to a base station, the method further includes: The UE accesses the base station, and establishes the AS security context with the base station.
- that user equipment UE sends, in a second physical frame, a first radio resource control RRC message to a base station includes: In response to a preset rule being met, the UE sends, in the second physical frame, the first RRC message to the base station.
- the preset rule includes: The UE receives indication information sent by the base station, where the indication information indicates the UE to enable man-in-the-middle detection; or the UE determines that user plane integrity protection between the UE and the base station is not enabled.
- a man-in-the-middle detection method includes: User equipment UE sends, in a third physical frame, a third radio resource control RRC message to a base station; the UE receives a fourth RRC message from the base station, where the fourth RRC message includes frame information of a fourth physical frame; the UE determines whether the third physical frame matches the fourth physical frame; and the UE sends a fifth RRC message to the base station, where the fifth RRC message indicates whether the third physical frame matches the fourth physical frame, and security protection is performed on the third RRC message, the fourth RRC message, and the fifth RRC message by using an access stratum AS security context established by the UE and the base station.
- the frame information of the fourth physical frame includes a frame number and a subframe number of the fourth physical frame.
- that the UE determines whether the third physical frame matches the fourth physical frame includes: In response to a frame number of the third physical frame being the same as the frame number of the fourth physical frame and a subframe number of the third physical frame is the same as the subframe number of the fourth physical frame, the UE determines that the third physical frame matches the fourth physical frame; otherwise, the UE determines that the third physical frame does not match the fourth physical frame.
- the method before that user equipment UE sends, in a third physical frame, a third radio resource control RRC message to a base station, the method further includes: The UE receives downlink control information DCI, where the DCI is used to determine frame information of the third physical frame, and the frame information of the third physical frame includes the frame number and the subframe number of the third physical frame; and the UE stores the frame information of the third physical frame.
- the method before that user equipment UE sends, in a third physical frame, a third radio resource control RRC message to a base station, the method further includes: The UE accesses the base station, and establishes the AS security context with the base station.
- that user equipment UE sends, in a third physical frame, a third radio resource control RRC message to a base station includes: In response to a preset rule being met, the UE sends, in the second physical frame, the third RRC message to the base station.
- the first preset rule includes: The UE receives indication information sent by the base station, where the indication information indicates the UE to enable man-in-the-middle detection; or the UE determines that user plane integrity protection between the UE and the base station is not enabled.
- a man-in-the-middle detection method includes: A base station receives, in a fourth physical frame, a third RRC message from user equipment UE; the base station sends a fourth RRC message to the UE, where the fourth RRC message includes frame information of the fourth physical frame; the base station receives a fifth RRC message sent by the UE; and the base station determines, based on the fifth RRC message, whether a man-in-the-middle exists between the base station and the UE.
- the fifth RRC message indicates whether a third physical frame matches the fourth physical frame
- the third physical frame is a physical frame in which the UE sends the third RRC message. That the base station determines, based on the fifth RRC message, whether a man-in-the-middle exists between the base station and the UE includes: In response to the third physical frame not matching the fourth physical frame, the base station determines that a man-in-the-middle exists between the base station and the UE; or in response to the third physical frame matching the fourth physical frame, the base station determines that no man-in-the-middle exists between the base station and the UE.
- the frame information of the fourth physical frame includes a frame number and a subframe number of the fourth physical frame.
- the method before that a base station receives, in a fourth physical frame, a third RRC message sent by user equipment UE, the method further includes: The base station establishes an AS security context with the UE.
- the method before that a base station receives, in a fourth physical frame, a third RRC message from user equipment UE, the method further includes: The base station sends indication information to the UE, where the indication information indicates the UE to enable man-in-the-middle detection.
- a man-in-the-middle detection apparatus includes: a transceiver module, configured to receive, in a first physical frame, a first radio resource control RRC message from user equipment UE, where the transceiver module is further configured to receive a second RRC message from the UE, where the second RRC message includes frame information of a second physical frame, and security protection is performed on the first RRC message and the second RRC message by using an access stratum AS security context established by the UE and a base station; and a processing module, configured to determine whether the first physical frame matches the second physical frame.
- the frame information of the second physical frame includes a frame number and a subframe number of the second physical frame.
- the processing module is configured to: in response to a frame number of the first physical frame being the same as the frame number of the second physical frame and a subframe number of the first physical frame is the same as the subframe number of the second physical frame, determine, by the base station, that the first physical frame matches the second physical frame; otherwise, determine, by the base station, that the first physical frame does not match the second physical frame.
- the processing module is further configured to store frame information of the third physical frame.
- the processing module is further configured to establish the AS security context with the UE.
- the transceiver module is further configured to send indication information to the UE, where the indication information indicates the UE to enable man-in-the-middle detection.
- a man-in-the-middle detection apparatus includes a transceiver module, configured to send, in a second physical frame, a first radio resource control RRC message to a base station.
- the transceiver module is further configured to send a second RRC message to the base station.
- the second RRC message includes frame information of the second physical frame, and security protection is performed on the first RRC message and the second RRC message by using an access stratum AS security context established by UE and the base station.
- the frame information of the second physical frame includes a frame number and a subframe number of the second physical frame.
- the transceiver module is further configured to receive downlink control information DCI, where the DCI is used to determine the frame information of the second physical frame.
- the apparatus further includes a processing module, where the processing module is configured to store the frame information of the second physical frame.
- the processing module is further configured to access the base station and establish the AS security context with the base station.
- the transceiver module is configured to: in response to a preset rule being met, send, by the UE in the second physical frame, the first RRC message to the base station.
- the preset rule includes: The UE receives indication information sent by the base station, where the indication information indicates the UE to enable man-in-the-middle detection; or the UE determines that user plane integrity protection between the UE and the base station is not enabled.
- a man-in-the-middle detection apparatus includes: a transceiver module, configured to send, in a third physical frame, a third radio resource control RRC message to a base station.
- the transceiver module is further configured to receive a fourth RRC message from the base station, where the fourth RRC message includes frame information of a fourth physical frame; and the transceiver module is further configured to send a fifth RRC message to the base station, where the fifth RRC message indicates whether the third physical frame matches the fourth physical frame, and security protection is performed on the third RRC message, the fourth RRC message, and the fifth RRC message by using an access stratum AS security context established by UE and the base station.
- the frame information of the fourth physical frame includes a frame number and a subframe number of the fourth physical frame.
- the processing module is configured to: in response to a frame number of the third physical frame being the same as the frame number of the fourth physical frame and a subframe number of the third physical frame is the same as the subframe number of the fourth physical frame, determine, by the UE, that the third physical frame matches the fourth physical frame; otherwise, determine, by the UE, that the third physical frame does not match the fourth physical frame.
- the transceiver module is further configured to receive downlink control information DCI, where the DCI is used to determine frame information of the third physical frame, and the frame information of the third physical frame includes the frame number and the subframe number of the third physical frame.
- the processing module is further configured to store the frame information of the third physical frame.
- the processing module is further configured to access the base station and establish the AS security context with the base station.
- the first preset rule includes:
- the UE receives indication information sent by the base station, where the indication information indicates the UE to enable man-in-the-middle detection; or the UE determines that user plane integrity protection between the UE and the base station is not enabled.
- a man-in-the-middle detection apparatus includes: a transceiver module, configured to receive, in a fourth physical frame, a third RRC message from user equipment UE, where the transceiver module is further configured to send a fourth RRC message to the UE, where the fourth RRC message includes frame information of the fourth physical frame; and the transceiver module is further configured to receive a fifth RRC message sent by the UE; and a processing module, configured to determine, based on the fifth RRC message, whether a man-in-the-middle exists between a base station and the UE.
- the fifth RRC message indicates whether a third physical frame matches the fourth physical frame
- the third physical frame is a physical frame in which the UE sends the third RRC message.
- the processing module is configured to: in response to the third physical frame not matching the fourth physical frame, determine that the man-in-the-middle exists between the base station and the UE; or in response to the third physical frame matching the fourth physical frame, determine that no man-in-the-middle exists between the base station and the UE.
- the frame information of the fourth physical frame includes a frame number and a subframe number of the fourth physical frame.
- the processing module is further configured to establish an AS security context with the UE.
- the transceiver module is further configured to send indication information to the UE, where the indication information indicates the UE to enable man-in-the-middle detection.
- a communication apparatus includes a processor, configured to execute a computer program stored in a memory, to enable the communication apparatus to perform the communication method in any one of the embodiments.
- a computer-readable storage medium stores a computer program.
- the computer is enabled to perform the communication method in any one of the embodiments.
- a chip system includes a processor, configured to invoke a computer program from a memory and run the computer program, to enable the communication device installed with the chip system to perform the communication method in any one of the embodiments.
- FIG. 1 is an example diagram of a system architecture, in accordance with some embodiments.
- FIG. 2 is an architectural diagram of working of a man-in-the-middle according to some embodiments
- FIG. 3 is a schematic interaction diagram of an example of a man-in-the-middle detection method according to some embodiments.
- FIG. 4 is a schematic diagram of message transmission between user equipment and a base station according to some embodiments.
- FIG. 5 is a schematic interaction diagram of another example of a man-in-the-middle detection method according to some embodiments.
- FIG. 6 is a schematic interaction diagram of another example of a man-in-the-middle detection method according to some embodiments.
- FIG. 7 is a schematic interaction diagram of another example of a man-in-the-middle detection method according to some embodiments.
- FIG. 8 is a schematic block diagram of an example of user equipment according to some embodiments.
- FIG. 9 is a schematic block diagram of an example of a base station according to some embodiments.
- FIG. 10 is a schematic block diagram of another example of user equipment according to some embodiments.
- FIG. 11 is a schematic block diagram of another example of a base station according to some embodiments.
- FIG. 12 is a schematic block diagram of an example of a communication apparatus according to some embodiments.
- FIG. 13 is a schematic block diagram of another example of a communication apparatus according to some embodiments.
- FIG. 14 is a schematic diagram of a structure of a terminal device according to some embodiments.
- LTE long term evolution
- FDD frequency division duplex
- TDD time division duplex
- UMTS universal mobile telecommunications system
- new radio new radio
- the communication system includes but is not limited to the following network elements.
- User equipment user equipment, UE
- the UE in some embodiments further are referred to as a mobile station (mobile station, MS), a mobile terminal (mobile terminal, MT), an access terminal, a subscriber unit, a subscriber station, a mobile station, a remote station, a remote terminal, a mobile device, a user terminal, a terminal, a wireless communication device, a user agent, a user apparatus, and the like.
- a mobile station mobile station
- MT mobile terminal
- an access terminal a subscriber unit, a subscriber station, a mobile station, a remote station, a remote terminal, a mobile device, a user terminal, a terminal, a wireless communication device, a user agent, a user apparatus, and the like.
- the UE is a device that provides a voice/data connectivity for a user, for example, a handheld device or a vehicle-mounted device that has a wireless connection function.
- some terminals are a mobile phone (mobile phone), a tablet computer, a laptop computer, a palmtop computer, a mobile internet device (mobile internet device, MID), a wearable device, a virtual reality (virtual reality, VR) device, an augmented reality (augmented reality, AR) device, a wireless terminal in industrial control (industrial control), a wireless terminal in self-driving (self-driving), a wireless terminal in remote medical surgery (remote medical surgery), a wireless terminal in a smart grid (smart grid), a wireless terminal in transportation safety (transportation safety), a wireless terminal in a smart city (smart city), a wireless terminal in a smart home (smart home), a cellular phone, a cordless telephone set, a session initiation protocol (session initiation protocol, SIP) phone, a wireless local loop
- the UE alternatively is a wearable device.
- the wearable device further is referred to as a wearable intelligent device, and is a general term of a wearable device that is intelligently designed and developed for daily wear by using a wearable technology, for example, glasses, gloves, a watch, clothing, and shoes.
- the wearable device is a portable device that is directly worn on a body or integrated into clothes or an accessory of a user.
- the wearable device is not a hardware device, but further implements a powerful function through software support, data exchange, and cloud interaction.
- a generalized wearable intelligent device includes a full-featured and large-size device that implements complete or partial functions without depending on a smartphone, such as a smart watch or smart glasses, and a device that focuses on one type of application functions and works with another device such as a smartphone, for example, various smart bands or smart jewelry for monitoring a physical sign.
- the UE alternatively is UE in an internet of things (Internet of things, IoT) system.
- IoT Internet of things
- An IoT is a part of future information technology development.
- a main technical feature of the IoT is that an article is connected to a network by using a communication technology, to implement an intelligent network for human-machine interconnection and thing-thing interconnection.
- the IoT technology implements massive connections, in-depth coverage, and terminal power saving by using, for example, a narrow band (narrow band) NB technology.
- a narrow band (narrow band) NB technology includes one resource block (resource block, RB).
- RB resource block
- a bandwidth of the NB is 180 KB.
- a terminal performs discrete access. According to a communication method in some embodiments, a congestion problem that occurs in the IoT technology in response to massive terminals accessing a network through the NB is effectively resolved.
- the UE further communicates with UE in another communication system.
- the UEs perform inter-device communication.
- the UE further transmits (for example, send and/or receive) a time synchronization packet with UE in another communication system.
- the base station in some embodiments are a device configured to communicate with UE.
- the base station further is referred to as an access network device or a radio access network device.
- the base station is an evolved NodeB (evolved NodeB, eNB or eNodeB) in an LTE system, or a radio controller in a cloud radio access network (cloud radio access network, CRAN) scenario.
- the base station is a relay station, an access point, a vehicle-mounted device, a wearable device, a base station in a future 5G network, a base station in a future evolved PLMN network, an access point (access point, AP) in a WLAN, or a gNB in a new radio (new radio, NR) system. This is not limited in some embodiments.
- the base station is a device in a RAN, that is, a RAN node that enables UE to access a wireless network.
- the base station is a gNB, a transmission reception point (transmission reception point, TRP), an evolved NodeB (evolved NodeB, eNB), a radio network controller (radio network controller, RNC), a NodeB (NodeB, NB), a base station controller (base station controller, BSC), a base transceiver station (base transceiver station, BTS), a home base station (such as a home evolved NodeB, or home NodeB, HNB), or a base band unit (base band unit, BBU).
- TRP transmission reception point
- eNB evolved NodeB
- RNC radio network controller
- NodeB NodeB
- BSC base station controller
- BTS base transceiver station
- BTS home base station
- home base station such as a home evolved NodeB, or home NodeB, HNB
- a network device in a network structure, includes a central unit (central unit, CU) node, a distributed unit (distributed unit, DU) node, a RAN device including a CU node and a DU node, or a RAN device including a CU control plane node (CU-CP node), a CU user plane node (CU-UP node), and a DU node.
- CU central unit
- DU distributed unit
- the base station serves a cell.
- UE communicates with the base station by using a transmission resource (for example, a frequency domain resource or a spectrum resource) used for the cell.
- the cell is a cell corresponding to the base station (for example, the base station).
- the cell belongs to a macro base station, or a base station corresponding to a small cell (small cell).
- the small cell herein includes a metro cell (metro cell), a micro cell (micro cell), a pico cell (pico cell), a femto cell (femto cell), or the like. These small cells have features of small coverage and low transmit power, and are applicable to providing a high-speed data transmission service.
- a plurality of cells simultaneously operates in a same frequency on a carrier in an LTE system or a 5G system.
- a concept of the carrier is equivalent to that of the cell.
- a carrier aggregation (carrier aggregation, CA) scenario in response to a secondary component carrier being configured for UE, a carrier index of the secondary component carrier and a cell identifier (cell identifier, Cell ID) of a secondary cell working on the secondary component carrier are both carried.
- the concept of the carrier is equivalent to that of the cell. For example, for UE, accessing a carrier is equivalent to accessing a cell.
- the access management function entity is mainly configured to perform mobility management, access management, and the like, and is configured to implement functions other than a session management function in functions of a mobility management entity (mobility management entity, MME) in an LTE system, for example, functions such as lawful interception and access authorization/authentication.
- MME mobility management entity
- an access management network element is an access management function (access and mobility management function, AMF) entity.
- AMF access management function
- the access management function entity still is an AMF entity, or has another name. This is not limited in some embodiments.
- the entities or the functions are network elements in a hardware device, is software functions run on dedicated hardware, or is virtualized functions instantiated on a platform (for example, a cloud platform).
- FIG. 2 is an architectural diagram of working of a man-in-the-middle.
- the man-in-the-middle includes a false base station part and a false UE part.
- the false base station part is configured to attract UE to camp on a man-in-the-middle cell
- the false UE part is configured to access a real base station, and forward or modify communication data of real UE.
- An AMF network element is a network element that is mainly responsible for access and mobility management.
- a base station (a gNB in FIG. 2 ) and the AMF are connected through an N2 interface. The interface is similar to an S1 interface, and transmits a message exchanged between a RAN and the AMF.
- the UE communicates with the AMF through an N1/NAS interface to transmit a message exchanged between the UE and the AMF.
- the RAN forwards the message to the AMF.
- the UE and the base station are connected through a Uu interface, and the UE and the base station sends RRC signaling and user plane data.
- the base station is connected to the AMF through the N2 interface, and the base station communicates with the AMF based on an N2 protocol.
- Such a man-in-the-middle eavesdrops, tamper with, forge, inject, and release an air interface message, causing a DoS attack to a terminal and a network.
- a network side and a terminal side to perceive a man-in-the-middle is usually difficult.
- the following first describes a physical frame in air interface communication by using a frame structure in an LTE system and an NR system as an example.
- the physical frame usually refers to a protocol data unit at a data link layer.
- the physical frame includes several parts that perform different functions.
- the frame structure refers to frames that forms different repetition periodicities based on different transmitted information.
- a dedicated radio frame structure is designed.
- a radio frame and a half-frame there are two types of frame structures for periodic simultaneous transmission with a quantity of uplink and downlink subframes in a standard configuration: a radio frame and a half-frame. Duration of the radio frame is 10 ms, and duration of the half-frame is 5 ms.
- One radio frame includes two half-frames. Each half-frame includes five subframes whose duration is 1 ms, each subframe includes two slots whose duration is 0.5 ms, and each slot includes six or seven CP+OFDM symbols based on different cyclic prefix CP duration.
- a 5G frame uses a hierarchical structure and includes two parts: a fixed architecture and a flexible architecture.
- the fixed architecture is the same as that in 4G, and includes a radio frame whose duration is 10 ms and a subframe whose duration is 1 ms.
- Each frame is divided into two half-frames.
- the first half-frame includes subframes 0 to 4, and the second half-frame includes subframes 5 to 9.
- Each subframe includes several slots.
- a system frame number (system frame number, SFN) ranges from 0 to 1023, that is, a data sending periodicity is 1024 frames.
- a subframe number ranges from 0 to 9, that is, a sending periodicity of a part of control information is 10 subframes.
- FIG. 3 is a schematic flowchart of a man-in-the-middle detection method 100 according to some embodiments. From FIG. 3 the method 100 includes the following steps.
- a base station receives, in a first physical frame, a first RRC message sent by UE.
- the base station receives a second RRC message sent by the UE, where the second RRC message includes frame information of a second physical frame.
- the base station determines whether the first physical frame matches the second physical frame.
- the base station After successfully establishing an AS security context with the UE, the base station receives, in the first physical frame, the first RRC message from the UE. Then, the base station receives the second RRC message on which security protection is performed from the UE. The UE provides the frame information of the second physical frame for the base station by using the second RRC message. The frame information of the second physical frame is a physical frame in which the UE sends the first RRC message. In response to a man-in-the-middle attack existing, air interface communication between the base station and the UE is intercepted by the man-in-the-middle.
- An air interface between the UE and a false base station and an air interface between false UE and the base station are independent of each other, that is, the base station is unable to directly receive the first RRC message sent by the UE.
- the man-in-the-middle receives the first RRC message through the false base station, and forwards the first RRC message to the base station through the false UE.
- Security protection is performed on the first RRC message by using an access stratum security context established by the UE and the base station. Therefore, the man-in-the-middle is unable to crack or tamper with the first RRC message.
- the base station determines that no man-in-the-middle exists between the UE and the base station. In response to the first physical frame not matching the second physical frame, the base station determines that a man-in-the-middle exists between the UE and the base station.
- whether the man-in-the-middle exists in the air interface communication is determined by determining whether the physical frame in which the UE sends the uplink message matches the physical frame in which the base station receives the uplink message, to prevent the man-in-the-middle from bypassing detection through a mechanism of the man-in-the-middle and improve a man-in-the-middle detection rate.
- a basis of the man-in-the-middle detection method in some embodiments is as follows:
- the physical frame in which the UE sends the uplink message is unable to match the physical frame in which the base station receives the uplink message.
- frame information of the physical frame in which the UE sends the uplink message is inconsistent with frame information of the physical frame in which the base station receives the uplink message.
- an uplink message for example, the first RRC message
- the base station receives the first RRC message transparently transmitted by the man-in-the-middle.
- frame information of a physical frame in which the man-in-the-middle sends the uplink message through false UE is unable to be consistent with frame information of a physical frame in which real UE sends the uplink message.
- the process 200 shown in FIG. 4 includes the following steps.
- S 210 The UE sends a first scheduling request (scheduling request, SR) to the man-in-the-middle.
- SR scheduling request
- the UE and the base station are indirectly connected through the man-in-the-middle, that is, the man-in-the-middle establishes connections to the real UE and a real base station separately through the false base station and the false UE.
- the UE sends the first SR to the false base station to apply for an uplink transmission resource.
- the man-in-the-middle sends first downlink control information (downlink control information, DCI) to the UE.
- DCI downlink control information
- the man-in-the-middle After receiving the first SR sent by the UE, the man-in-the-middle sends the first DCI to the UE, and indicates an appropriate available resource to the UE by using the first DCI.
- the UE receives the first DCI sent by the man-in-the-middle, determines a physical frame a based on the first DCI, and sends the first RRC message to the man-in-the-middle in the physical frame a.
- the UE After receiving the first DCI in a subframe n, the UE sends the first RRC message to the man-in-the-middle in a subframe n+x.
- a physical frame in which the subframe n+x is located is the physical frame a.
- x is a value described in a protocol, and in a unified configuration, the value of x is fixed.
- the value of x is fixed to 4.
- the protocol 3GPP TS 36.213 For details, refer to chapter 8 of the protocol 3GPP TS 36.213.
- the UE receives the first DCI, where the first DCI carries an information parameter, and the UE determines the value of x based on the information parameter.
- the UE determines the value of x based on the information parameter.
- the man-in-the-middle After receiving the first SR sent by the UE in step S 210 , the man-in-the-middle reports the first SR to the real base station through the false UE.
- the base station After receiving the first SR sent by the false UE, the base station sends the second DCI to the man-in-the-middle to indicate an appropriate available resource for the false UE.
- the man-in-the-middle receives the second DCI sent by the base station, determines a physical frame b based on the second DCI, and sends the first RRC message to the base station in the physical frame b.
- the physical frame a is a time domain resource location indicated by the man-in-the-middle for the UE
- the physical frame b is a time domain resource location indicated by the base station for the man-in-the-middle. Because the man-in-the-middle is unable to predict a location of the physical frame b indicated by the base station, the physical frame a is unable to match the physical frame b. Therefore, in response to the man-in-the-middle attack existing, the physical frame in which the UE sends the uplink message is unable to match the physical frame in which the base station receives the uplink message.
- FIG. 5 is a schematic flowchart of a man-in-the-middle detection method 300 according to some embodiments in response to a man-in-the-middle attack existing between UE and a base station. From FIG. 5 the method 300 includes the following steps.
- S 310 The UE establishes an AS security context with the base station.
- the UE accesses the base station, that is, the UE establishes an indirect connection to the base station through the man-in-the-middle, and then the UE establishes the access stratum AS security context with the base station.
- security protection is performed on RRC messages, and the man-in-the-middle is unable to tamper with the RRC message sent between the UE and the base station.
- the security protection includes RRC integrity protection and RRC confidentiality protection.
- the RRC integrity protection ensures that the RRC message is not tampered with in a transmission process, and the RRC confidentiality protection ensures that information content of the RRC message is not disclosed in the transmission process.
- the man-in-the-middle sends third DCI to the UE, where the third DCI is used to determine a physical frame p for sending the RRC message by the UE.
- the UE sends a buffer status report (buffer status report, BSR) to the man-in-the-middle to indicate a data volume of an uplink buffer, and then the man-in-the-middle sends the third DCI to the UE to allocate an appropriate available resource to the UE.
- BSR buffer status report
- the third DCI carries an information parameter.
- the UE stores frame information of the physical frame p, where the frame information of the physical frame p includes a frame number and a subframe number of the physical frame p.
- the UE before step S 320 , in response to a first preset rule being met, the UE enables man-in-the-middle detection.
- the enabling man-in-the-middle detection means that the UE performs the method mentioned in some embodiments.
- the enabling man-in-the-middle detection includes: The UE sends a first physical frame query request message and a second physical frame query request message that carries the frame information of the physical frame p.
- the first preset rule includes: The UE receives indication information from the base station, where the indication information indicates the UE to enable man-in-the-middle detection; or the UE determines that user plane integrity protection between the UE and the base station is not enabled.
- the user plane integrity protection in response to the user plane integrity protection not being enabled, there is a risk of tampering with user plane data between the UE and the base station. In this case, in response to the man-in-the-middle existing, authenticity of the user plane data is unable to be ensured. Therefore, the man-in-the-middle detection is enabled.
- the base station in response to a second preset rule being met, sends indication information to the UE to indicate the UE to enable the man-in-the-middle detection.
- the second preset rule is, for example, that a key performance indicator (key performance indicator, KPI) is greater than a second threshold.
- the UE sends, in the physical frame p, the first physical frame query request message that is carried in the RRC message, to perform man-in-the-middle detection. Security protection is performed on the message, and therefore the message is unable to be tampered with by the man-in-the-middle.
- the first physical frame query request message is an empty RRC message.
- the base station sends fourth DCI to the man-in-the-middle, where the fourth DCI is used to determine a physical frame q.
- the man-in-the-middle before S 340 , the man-in-the-middle sends the BSR to the base station through false UE, to indicate the data volume of the uplink buffer, and then the base station sends the fourth DCI to the man-in-the-middle, where the fourth DCI is used to determine the physical frame q.
- the base station stores frame information of the physical frame q.
- the base station After indicating the physical frame q to the man-in-the-middle by using the fourth DCI, the base station stores the frame information of the physical frame q.
- the man-in-the-middle receives, in the physical frame p, the first physical frame query request message sent by the UE.
- Security protection is performed on the first physical frame query request message by using the AS security context established by the UE and the base station, and therefore the man-in-the-middle is unable to tamper with the first physical frame query request message, and is transparently transmitted to the base station. Therefore, the man-in-the-middle sends, in the physical frame q indicated by the base station for the man-in-the-middle, the first physical frame query request message to the base station.
- the base station After receiving, in the physical frame q, the first physical frame query request message forwarded by the man-in-the-middle, the base station locally records the frame information of the physical frame q, where the frame information of the physical frame q includes a frame number and a subframe number of the physical frame q.
- the base station in response to the first physical frame query request message including indication information, for example, the first physical frame query request message is an RRC message for enabling the man-in-the-middle detection, or the first RRC message includes indication information (for example, an indication bit is carried in an existing measurement report, and the indication bit optionally indicates to enable the man-in-the-middle detection), the base station continues to retain the frame information of the physical frame q or restores the frame information of the physical frame q.
- the first physical frame query request message is an RRC message for enabling the man-in-the-middle detection
- the first RRC message includes indication information (for example, an indication bit is carried in an existing measurement report, and the indication bit optionally indicates to enable the man-in-the-middle detection)
- the base station continues to retain the frame information of the physical frame q or restores the frame information of the physical frame q.
- the base station determines, based on the first RRC message, that a terminal enables the man-in-the-middle detection.
- a feature that the base station continues to retain the frame information of the physical frame q is applied to another embodiment in which information about a physical frame is retained. This is not limited in some embodiments.
- the frame information of the physical frame q further includes a slot number of the physical frame q.
- the base station in response to a subframe including a plurality of slots, indicates, to the UE by using DCI, the frame number, the subframe number, and the slot number of the physical frame q.
- the UE After sending, in the physical frame p, the first physical frame query request message to the man-in-the-middle, the UE sends the second physical frame query request message on which security protection is performed to the man-in-the-middle, where the second physical frame query request message includes the frame information of the physical frame p.
- the UE after determining to enable the man-in-the-middle detection, the UE includes the frame information of the physical frame p in the second physical frame query request message for the man-in-the-middle detection.
- the second RRC message is sent to perform a man-in-the-middle detection procedure, so that the base station determines, based on the information about the physical frame carried in the second physical frame query request message, whether the man-in-the-middle exists.
- the first physical frame query request message is an RRC layer message
- the first physical frame query request message in response to the message being encoded and constructed at an RRC layer, a physical frame in which the message is sent is unable to be determined.
- the first physical frame query request message enters a buffer queue.
- the UE reports the buffer status report to the base station.
- the base station schedules the UE in a unified manner.
- the UE uses the resource for message sending.
- the first physical frame query request message is unable to carry the frame information of the physical frame p.
- the man-in-the-middle receives the second physical frame query request message sent by the UE.
- the man-in-the-middle is unable to crack or tamper with the second physical frame query request message, and transparently transmits the second physical frame query request message to the base station.
- the base station determines whether the physical frame p matches the physical frame q.
- the base station After receiving the second physical frame request message transparently transmitted by the man-in-the-middle, the base station extracts the frame number and the subframe number of the physical frame p that are carried in the second physical frame query request message, and compares the frame number and the subframe number with the frame number and the subframe number of the physical frame q that are locally recorded and stored.
- the physical frame p matches the physical frame q, and no man-in-the-middle exists between the UE and the base station. Otherwise, the physical frame p does not match the physical frame q, and the man-in-the-middle exists between the UE and the base station.
- the second physical frame query request message in response to a slot number of a physical frame being considered, carries the frame number, the subframe number, and a slot number of the physical frame p, and compares the frame number, the subframe number, and the slot number with the frame number, the subframe number, and the slot number of the physical frame q that are locally recorded.
- the physical frame p matches the physical frame q, and no man-in-the-middle exists between the UE and the base station. Otherwise, the physical frame p does not match the physical frame q, and the man-in-the-middle exists between the UE and the base station.
- the base station issues a warning or take a preventive measure.
- man-in-the-middle detection is performed based on that a physical frame in which the man-in-the-middle sends an uplink message through the false UE is unable to be consistent with a physical frame in which real UE sends the uplink message, to prevent the man-in-the-middle from bypassing detection through a mechanism of the man-in-the-middle and improve a man-in-the-middle detection rate.
- FIG. 6 is a schematic flowchart of another man-in-the-middle detection method 400 according to some embodiments. From FIG. 6 method 400 includes the following steps.
- S 410 UE sends, in a third physical frame, a third RRC message to a base station.
- the UE receives a fourth RRC message sent by the base station, where the fourth RRC message includes frame information of a fourth physical frame.
- the UE sends a fifth RRC message to the base station, where the fifth RRC message indicates whether the third physical frame matches the fourth physical frame.
- the UE After successfully establishing an AS security context with the base station, the UE sends, in the third physical frame, the third RRC message on which security protection is performed to the base station, where the third physical frame is a time domain resource specified by the base station (or false base station) for the UE.
- Security protection is performed on the third RRC message by using the access stratum AS security context established by the UE and the base station. Therefore, a man-in-the-middle is unable to crack or tamper with the third RRC message.
- air interface communication between the UE and the base station is intercepted by the man-in-the-middle.
- An air interface between the UE and the false base station and an air interface between false UE and the base station are independent of each other, that is, the base station is unable to directly receive the third RRC message sent by the UE.
- the man-in-the-middle receives the third RRC message through the false base station and forwards the third RRC message to the base station through the false UE.
- the base station receives, in the fourth physical frame, the third RRC message, and sends the fourth RRC message on which security protection is performed to the UE, where the fourth RRC message includes the frame information of the fourth physical frame.
- the UE receives the fourth RRC message, obtains the frame information of the fourth physical frame by using the fourth RRC message, and determines whether the third physical frame matches the fourth physical frame.
- a physical frame in which the UE sends an uplink message is unable to be consistent with a physical frame in which the base station receives the uplink message. Therefore, in response to the third physical frame matching the fourth physical frame, the UE determines that no man-in-the-middle exists between the UE and the base station. In response to the third physical frame not matching the fourth physical frame, the UE determines that the man-in-the-middle exists between the UE and the base station. Then, the UE sends a fifth RRC message to the base station, where the fifth RRC message indicates whether the third physical frame matches the fourth physical frame.
- whether the man-in-the-middle exists in the air interface communication is determined by determining whether the physical frame in which the UE sends the uplink message matches the physical frame in which the base station receives the uplink message, to prevent the man-in-the-middle from bypassing detection through a mechanism of the man-in-the-middle and improve a man-in-the-middle detection rate.
- FIG. 7 shows a schematic flowchart of a man-in-the-middle detection method 500 according to some embodiments in response to a man-in-the-middle attack existing between UE and a base station. From FIG. 7 method 500 includes the following steps.
- S 510 The UE establishes an AS security context with the base station.
- the UE accesses the base station, that is, the UE establishes an indirect connection to the base station through the man-in-the-middle, and then the UE establishes the access stratum AS security context with the base station.
- security protection is performed on RRC messages, and the man-in-the-middle is unable to tamper with the RRC message sent between the UE and the base station.
- the man-in-the-middle sends fifth DCI to the UE, where the fifth DCI is used to determine a physical frame in which the UE sends an RRC message.
- the UE sends a buffer status report (buffer status report, BSR) to the man-in-the-middle to indicate a data volume of an uplink buffer, and then the man-in-the-middle sends the fifth DCI to the UE to allocate an appropriate available resource to the UE.
- BSR buffer status report
- the UE determines a physical frame e based on the fifth DCI.
- the UE locally records frame information of the physical frame e, where the frame information of the physical frame e includes a frame number and a subframe number of the physical frame e.
- the UE before step S 520 , in response to a first preset rule being met, the UE enables man-in-the-middle detection.
- the enabling man-in-the-middle detection means that the UE performs the method mentioned in some embodiments.
- the enabling man-in-the-middle includes: The UE sends a physical frame query request message and stores the frame information of the physical frame e.
- the first preset rule includes: The UE receives indication information from the base station, where the indication information indicates the UE to enable man-in-the-middle detection; or the UE determines that user plane integrity protection between the UE and the base station is not enabled.
- the base station in response to a second preset rule being met, sends indication information to the UE to indicate the UE to enable the man-in-the-middle detection.
- the second preset rule is, for example, that a key performance indicator (key performance indicator, KPI) is greater than a second threshold.
- the UE sends, in the physical frame e, the physical frame query request message that is carried in the RRC message, to perform man-in-the-middle detection.
- Security protection is performed on the message by using the access stratum AS security context established between the UE and the base station, and therefore the message is unable to be tampered with by the man-in-the-middle.
- the physical frame query request message is an empty RRC message.
- the base station sends sixth DCI to the man-in-the-middle, where the sixth DCI is used to determine a physical frame for the man-in-the-middle to perform RRC communication.
- the man-in-the-middle sends the buffer status report (buffer status report, BSR) to the base station to indicate the data volume of an uplink buffer. Then, the man-in-the-middle sends the fifth DCI to the UE to allocate an appropriate available resource to the UE. The UE determines a physical frame f based on the sixth DCI.
- BSR buffer status report
- the man-in-the-middle receives the physical frame query request message sent by the UE. Because security protection is performed on the message, the man-in-the-middle is unable to tamper with the message. Therefore, the man-in-the-middle forwards, in the physical frame f indicated by the base station to the man-in-the-middle, the physical frame query request message to the base station.
- the base station sends a physical frame query response message to the man-in-the-middle.
- the base station After receiving, in the physical frame f, the physical frame query request message transparently transmitted by the man-in-the-middle, the base station sends the physical frame query response message on which security protection is performed to the false UE.
- the physical frame query response message carries frame information of the physical frame f, where the frame information of the physical frame f includes a frame number and a subframe number of the physical frame f.
- the man-in-the-middle After receiving the physical frame query response message sent by the base station, the man-in-the-middle forwards the physical frame query response message to the UE through the false base station.
- S 580 The UE determines whether the physical frame e matches the physical frame f.
- the UE After receiving the physical frame query response message sent by the false base station, the UE extracts the frame number and the subframe number of the physical frame f that are carried in the physical frame query response message, and compare the frame number and the subframe number with the frame number and the subframe number of the physical frame e that are locally recorded and stored in response to the physical frame query request message being successfully sent.
- the physical frame e matches the physical frame f, and no man-in-the-middle exists between the UE and the base station. Otherwise, the physical frame e does not match the physical frame f, and the man-in-the-middle exists between the UE and the base station.
- S 590 The UE sends a physical frame query indication message to the base station.
- the UE After determining whether the physical frame e matches the physical frame f, the UE sends the physical frame query indication message on which security protection is performed to the base station, and the physical frame query indication message is received by the base station after being transparently transmitted by the man-in-the-middle.
- the physical frame query indication message includes a determining result, where the determining result indicates whether the physical frame e matches the physical frame f.
- the base station After determining, based on the physical frame query indication message, that the man-in-the-middle exists, the base station issues a warning or take a preventive measure.
- man-in-the-middle detection is performed based on that a physical frame in which the man-in-the-middle sends an uplink message through the false UE is unable to be consistent with a physical frame in which real UE sends the uplink message, to prevent the man-in-the-middle from bypassing detection through a mechanism of the man-in-the-middle and improve a man-in-the-middle detection rate.
- FIG. 8 is a schematic block diagram of a communication apparatus according to some embodiments. As shown in the figure, the communication apparatus 10 includes a transceiver module 11 and a processing module 12 .
- the communication apparatus 10 corresponds to the base station in the foregoing method embodiments.
- the communication apparatus 10 corresponds to the user equipment in the method 100 , the method 200 , and the method 300 according to some embodiments.
- the communication apparatus 10 includes a module configured to perform a method performed by the base station in the method 100 in FIG. 3 , the method 200 in FIG. 4 , or the method 300 in FIG. 5 .
- units in the communication apparatus 10 and the foregoing other operations and/or functions are separately intended to implement corresponding procedures of the method 100 in FIG. 3 , the method 200 in FIG. 4 , or the method 300 in FIG. 5 .
- the transceiver module 11 is configured to perform step S 110 and step S 120 in the method 100
- the processing module 12 is configured to perform step S 130 in the method 100 .
- the transceiver module 11 is configured to perform step S 240 , step S 250 , and step S 260 in the method 200 .
- the transceiver module 11 is configured to perform step S 340 , step S 350 , and step S 380 in the method 300
- the processing module 12 is configured to perform step S 360 and S 390 in the method 300 .
- the transceiver module 11 is configured to receive, in a first physical frame, a first radio resource control RRC message from user equipment UE.
- the transceiver module is further configured to receive a second RRC message from the UE, where the second RRC message includes frame information of a second physical frame, and security protection is performed on the first RRC message and the second RRC message by using an access stratum AS security context established by the UE and a base station.
- the processing module is configured to determine whether the first physical frame matches the second physical frame.
- the processing module 12 is configured to: in response to a frame number of the first physical frame being the same as a frame number of the second physical frame and a subframe number of the first physical frame is the same as a subframe number of the second physical frame, determine, by the base station, that the first physical frame matches the second physical frame; otherwise, determine, by the base station, that the first physical frame does not match the second physical frame.
- the processing module 12 is further configured to store frame information of a third physical frame.
- processing module 12 is further configured to establish the AS security context with the UE.
- the transceiver module 11 is further configured to send indication information to the UE, where the indication information indicates the UE to send a fourth RRC message to the base station.
- FIG. 9 is a schematic block diagram of a communication apparatus according to some embodiments. As shown in the figure, the communication apparatus 20 includes a transceiver module 21 and a processing module 22 .
- the communication apparatus 20 corresponds to the user equipment UE in the foregoing method embodiments or a chip disposed in the UE.
- the communication apparatus 20 corresponds to the base station in the method 100 , the method 200 , and the method 300 according to some embodiments.
- the communication apparatus 20 includes a module configured to perform a method performed by the user equipment in the method 100 in FIG. 3 , the method 200 in FIG. 4 , or the method 300 in FIG. 5 .
- units in the communication apparatus 20 and the foregoing other operations and/or functions are separately intended to implement corresponding procedures of the method 100 in FIG. 3 , the method 200 in FIG. 4 , or the method 300 in FIG. 5 .
- the transceiver module 11 is configured to perform step S 110 and step S 120 in the method 100 .
- the transceiver module 11 is configured to perform step S 210 , step S 220 , and step S 230 in the method 200 .
- the transceiver module 11 is configured to perform step S 320 , step S 330 , and step S 370 in the method 300 .
- the transceiver module 21 is configured to send, in a second physical frame, a first radio resource control RRC message to a base station.
- the transceiver module is further configured to send a second RRC message to the base station, where the second RRC message includes frame information of the second physical frame, and security protection is performed on the first RRC message and the second RRC message by using an access stratum AS security context established by UE and the base station.
- the transceiver module 21 is further configured to receive downlink control information DCI, where the DCI is used to determine the frame information of the second physical frame.
- the processing module 22 is configured to store the frame information of the second physical frame.
- processing module 22 is further configured to access the base station and establish the AS security context with the base station.
- the transceiver module 21 is configured to: in response to a preset rule being met, send, by the UE in the second physical frame, the first RRC message to the base station.
- the processing module 22 is further configured to receive indication information sent by the base station, where the indication information indicates the UE to enable man-in-the-middle detection, or determine that user plane integrity protection the base station is not enabled.
- FIG. 10 is a schematic block diagram of a communication apparatus according to some embodiments. As shown in the figure, the communication apparatus 30 includes a transceiver module 31 and a processing module 32 .
- the communication apparatus 30 corresponds to the user equipment UE in the foregoing method embodiments.
- the communication apparatus 30 corresponds to the base station in the method 400 and the method 500 according to some embodiments.
- the communication apparatus 30 includes a module configured to perform a method performed by the UE in the method 400 in FIG. 6 or the method 500 in FIG. 7 .
- units in the communication apparatus 30 and the foregoing other operations and/or functions are separately intended to implement corresponding procedures of the method 400 in FIG. 6 or the method 500 in FIG. 7 .
- the transceiver module 41 is configured to perform step S 410 and step S 420 in the method 400
- the processing module 42 is configured to perform step S 430 in the method 400 .
- the transceiver module 41 is configured to perform step S 520 , step S 530 , step S 570 , step S 590 in the method 500
- the processing module 42 is configured to perform step S 580 in the method 500 .
- the transceiver module 31 is configured to send, in a third physical frame, a third radio resource control RRC message to a base station.
- the transceiver module is further configured to receive a fourth RRC message from the base station, where the fourth RRC message includes frame information of a fourth physical frame.
- the transceiver module is further configured to send a fifth RRC message to the base station, where the fifth RRC message indicates whether the third physical frame matches the fourth physical frame, and security protection is performed on the third RRC message, the fourth RRC message, and the fifth RRC message by using an access stratum AS security context established by UE and the base station.
- the processing module 32 is configured to: in response to a frame number of the third physical frame being the same as a frame number of the fourth physical frame and a subframe number of the third physical frame is the same as a subframe number of the fourth physical frame, determine, by the UE, that the third physical frame matches the fourth physical frame; otherwise, determine, by the UE, that the third physical frame does not match the fourth physical frame.
- the transceiver module 31 is further configured to receive downlink control information DCI, where the DCI is used to determine frame information of the third physical frame, and the frame information of the third physical frame includes the frame number and the subframe number of the third physical frame.
- the processing module 32 is further configured to store the frame information of the third physical frame.
- processing module 32 is further configured to access the base station and establish the AS security context with the base station.
- FIG. 11 is a schematic block diagram of a communication apparatus according to some embodiments. As shown in the figure, the communication apparatus 30 includes a transceiver module 41 and a processing module 42 .
- the communication apparatus 40 corresponds to the base station in the foregoing method embodiments.
- the communication apparatus 40 corresponds to the base station in the method 400 and the method 500 according to some embodiments.
- the communication apparatus 40 includes a module configured to perform a method performed by the base station in the method 400 in FIG. 6 or the method 500 in FIG. 7 .
- units in the communication apparatus 30 and the foregoing other operations and/or functions are separately intended to implement corresponding procedures of the method 400 in FIG. 6 or the method 500 in FIG. 7 .
- the transceiver module 41 is configured to perform step S 410 , step S 420 , and step S 440 in the method 400 .
- the transceiver module 41 is configured to perform step S 540 , step S 550 , step S 560 , step S 590 in the method 500
- the processing module 42 is configured to perform step S 510 in the method 500 .
- the transceiver module 41 is configured to receive, in a fourth physical frame, a third RRC message from user equipment UE.
- the transceiver module is further configured to send a fourth RRC message to the UE, where the fourth RRC message includes frame information of the fourth physical frame.
- the transceiver module is further configured to receive a fifth RRC message sent by the UE.
- the processing module is configured to determine, based on the fifth RRC message, whether a man-in-the-middle exists between a base station and the UE.
- the processing module 42 is configured to: in response to a third physical frame not matching the fourth physical frame, determine that the man-in-the-middle exists between the base station and the UE; or in response to the third physical frame matching the fourth physical frame, determine that no man-in-the-middle exists between the base station and the UE.
- processing module 42 is further configured to establish an AS security context with the UE.
- the transceiver module 41 is further configured to send indication information to the UE, where the indication information indicates the UE to enable man-in-the-middle detection.
- FIG. 12 is a schematic diagram of a communication apparatus 50 according to some embodiments.
- the apparatus 50 is a device that detects a man-in-the-middle and includes various handheld devices, in-vehicle devices, wearable devices, calculating devices that have a wireless communication function, or other processing devices connected to a wireless modem, and various forms of terminals, mobile stations (Mobile Stations, MSs), terminals (Terminals), user equipment UEs, soft terminals, and the like.
- the apparatus 50 includes a processor 51 (that is, an example of a processing module) and a memory 52 .
- the memory 52 is configured to store instructions.
- the processor 51 is configured to execute the instructions stored in the memory 52 , to enable the apparatus 30 to implement a step performed by a network registration device in the method corresponding to FIG. 3 , FIG. 4 , FIG. 5 , FIG. 6 , or FIG. 7 .
- the apparatus 50 further includes an input port 53 (that is, an example of a transceiver module) and an output port 54 (that is, another example of a transceiver module).
- the processor 51 , the memory 52 , the input port 53 , and the output port 54 communicates with each other through an internal connection path, to transmit a control signal and/or a data signal.
- the memory 32 is configured to store a computer program.
- the processor 51 is configured to invoke the computer program from the memory 52 and run the computer program, to control the input port 53 to receive a signal, and control the output port 54 to send a signal, so as to complete a step performed by the terminal device in the foregoing methods.
- the memory 52 is integrated into the processor 51 , or is disposed separately from the processor 51 .
- the input port 53 is a receiver
- the output port 54 is a transmitter.
- the receiver and the transmitter is a same physical entity or different physical entities.
- the receiver and the transmitter is collectively referred to as a transceiver.
- the input port 53 is an input interface
- the output port 54 is an output interface
- functions of the input port 53 and the output port 54 are implemented by using a transceiver circuit or a dedicated transceiver chip.
- the processor 51 is implemented by using a dedicated processing chip, a processing circuit, a processor, or a general-purpose chip.
- the communication device provided in some embodiments is implemented by using a general-purpose computer.
- Program code for implementing functions of the processor 51 , the input port 53 , and the output port 54 is stored in the memory 52 .
- the general-purpose processor implements the functions of the processor 51 , the input port 53 , and the output port 54 by executing the code in the memory 52 .
- Modules or units in the communication apparatus 50 is configured to perform actions or processing processes performed by a device (for example, user equipment) for man-in-the-middle detection in the foregoing methods. To avoid repetition, detailed descriptions thereof are omitted herein.
- FIG. 13 is a schematic diagram of a communication apparatus 60 according to some embodiments.
- the apparatus 60 is a man-in-the-middle detection device, and includes a network element having an access management function, for example, an AMF.
- an access management function for example, an AMF.
- the apparatus 60 includes a processor 61 (that is, an example of a processing module) and a memory 62 .
- the memory 62 is configured to store instructions.
- the processor 61 is configured to execute the instructions stored in the memory 62 , to enable the apparatus 60 to implement a step performed by a device for man-in-the-middle detection in the method corresponding to FIG. 3 , FIG. 4 , FIG. 5 , FIG. 6 , or FIG. 7 .
- the apparatus 60 further includes an input port 63 (that is, an example of a transceiver module) and an output port 64 (that is, another example of a transceiver module).
- the processor 61 , the memory 62 , the input port 63 , and the output port 64 communicates with each other through an internal connection path, to transmit a control signal and/or a data signal.
- the memory 62 is configured to store a computer program.
- the processor 61 is configured to invoke the computer program from the memory 62 and run the computer program, to control the input port 63 to receive a signal, and control the output port 64 to send a signal, so as to complete a step performed by the terminal device in the foregoing methods.
- the memory 62 is integrated into the processor 61 , or is disposed separately from the processor 61 .
- the input port 63 is a receiver
- the output port 64 is a transmitter.
- the receiver and the transmitter is a same physical entity or different physical entities.
- the receiver and the transmitter is collectively referred to as a transceiver.
- the input port 63 is an input interface
- the output port 44 is an output interface
- functions of the input port 63 and the output port 64 are implemented by using a transceiver circuit or a dedicated transceiver chip.
- the processor 61 is implemented by using a dedicated processing chip, a processing circuit, a processor, or a general-purpose chip.
- the communication device provided in some embodiments is implemented by using a general-purpose computer.
- Program code for implementing functions of the processor 61 , the input port 63 , and the output port 64 is stored in the memory 62 .
- the general-purpose processor implements the functions of the processor 61 , the input port 63 , and the output port 64 by executing the code in the memory 62 .
- Modules or units in the communication apparatus 60 is configured to perform actions or processing processes performed by a network-side device (that is, a network device) during network registration in the foregoing methods. To avoid repetition, detailed descriptions thereof are omitted herein.
- a network-side device that is, a network device
- FIG. 14 is a schematic diagram of a structure of a terminal device 500 according to some embodiments.
- the terminal device 500 includes a processor, a memory, a control circuit, an antenna, and an input/output apparatus.
- the processor is mainly configured to process a communication protocol and communication data, control the entire terminal device, execute a software program, and process data of the software program, for example, is configured to support the terminal device in performing actions described in the foregoing embodiments of an indication method for transmitting a precoding matrix.
- the memory is mainly configured to store a software program and data, for example, store a codebook described in the foregoing embodiments.
- the control circuit is mainly configured to convert a baseband signal and a radio frequency signal, and process the radio frequency signal.
- the control circuit and the antenna together further is referred to as a transceiver, and are mainly configured to receive and send a radio frequency signal in a form of an electromagnetic wave.
- the input/output apparatus such as a touchscreen, a display, or a keyboard, is mainly configured to receive data entered by a user and output data to the user.
- the processor After the terminal device is powered on, the processor reads a software program in a storage unit, interpret and execute instructions of the software program, and process data of the software program. In response to data being sent wirelessly, the processor performs baseband processing on to-be-sent data, and then outputs a baseband signal to a radio frequency circuit.
- the radio frequency circuit performs radio frequency processing on the baseband signal, and then sends, through the antenna, a radio frequency signal in a form of an electromagnetic wave.
- the radio frequency circuit receives the radio frequency signal through the antenna, converts the radio frequency signal into a baseband signal, and outputs the baseband signal to the processor.
- the processor converts the baseband signal into data, and processes the data.
- FIG. 14 shows one memory and one processor.
- the memory further is referred to as a storage medium, a storage device, or the like. This is not limited in some embodiments.
- the processor includes a baseband processor and a central processing unit.
- the baseband processor is mainly configured to process a communication protocol and communication data.
- the central processing unit is mainly configured to control the entire terminal device, execute a software program, and process data of the software program.
- the processor in FIG. 14 integrates functions of the baseband processor and the central processing unit.
- the baseband processor and the central processing unit alternatively is separate processors, and are interconnected by using a technology such as a bus.
- the terminal device includes a plurality of baseband processors to adapt to different network standards.
- the terminal device includes a plurality of central processing units to enhance a processing capability of the terminal device.
- the baseband processor alternatively is expressed as a baseband processing circuit or a baseband processing chip.
- the central processing unit alternatively is expressed as a central processing circuit or a central processing chip.
- a function of processing a communication protocol and communication data is built in the processor, or is stored in the storage unit in a form of a software program, and the processor executes the software program to implement a baseband processing function.
- the terminal device 700 includes a transceiver unit 710 and a processing unit 720 .
- the transceiver unit further is referred to as a transceiver, a transceiver machine, a transceiver apparatus, or the like.
- a component that is in the transceiver unit 710 and that is configured to implement a receiving function is considered as a receiving unit
- a component that is in the transceiver unit 710 and that is configured to implement a sending function is considered as a sending unit.
- the transceiver unit 510 includes a receiving unit and a sending unit.
- the receiving unit further is referred to as a receiver, a receive machine, or a receiving circuit
- the sending unit further is referred to as a transmitter, a transmit machine, or a transmitting circuit.
- the terminal device shown in FIG. 14 performs actions performed by the user equipment in the foregoing method 100 , 200 , 300 , 400 , or 500 . To avoid repetition, detailed descriptions thereof are omitted herein.
- the processor is a central processing unit (central processing unit, CPU), or is another general-purpose processor, a digital signal processor (digital signal processor, DSP), an application-specific integrated circuit (application-specific integrated circuit, ASIC), a field programmable gate array (field programmable gate array, FPGA), or another programmable logic device, discrete gate, transistor logic device, discrete hardware component, or the like.
- the general-purpose processor is a microprocessor, or the processor is any conventional processor or the like.
- the memory in some embodiments are a volatile memory or a nonvolatile memory, or includes a volatile memory and a nonvolatile memory.
- the nonvolatile memory is a read-only memory (Read-only Memory, ROM), a programmable read-only memory (Programmable ROM, PROM), an erasable programmable read-only memory (Erasable PROM, EPROM), an electrically erasable programmable read-only memory (Electrically EPROM, EEPROM), or a flash memory.
- the volatile memory is a random access memory (Random access memory, RAM), used as an external cache.
- random access memories in many forms are available, for example, a static random-access memory (Static RAM, SRAM), a dynamic random-access memory (DRAM), a synchronous dynamic random access memory (Synchronous DRAM, SDRAM), a double data rate synchronous dynamic random access memory (Double data rate SDRAM, DDR SDRAM), an enhanced synchronous dynamic random access memory (Enhanced SDRAM, ESDRAM), a synchlink dynamic random access memory (Synchlink DRAM, SLDRAM), and a direct rambus random access memory (Direct rambus RAM, DR RAM).
- All or some of the foregoing embodiments are implemented by software, hardware, firmware, or any combination thereof.
- the foregoing embodiments are implemented completely or partially in a form of a computer program product.
- the computer program product includes one or more computer instructions or computer programs.
- procedures or functions according to some embodiments are all or partially generated.
- the computer is a general-purpose computer, a dedicated computer, a computer network, or another programmable apparatus.
- the computer instructions are stored in a computer-readable storage medium or is transmitted from a computer-readable storage medium to another computer-readable storage medium.
- the computer instructions are transmitted from a website, computer, server, or data center to another website, computer, server, or data center in a wired (for example, infrared, radio, or microwave) manner.
- the computer-readable storage medium is any usable medium accessible by a computer, or a data storage device, such as a server or a data center, integrating one or more usable media.
- the usable medium is a magnetic medium (for example, a floppy disk, a hard disk, or a magnetic tape), an optical medium (for example, a DVD), or a semiconductor medium.
- the semiconductor medium is a solid-state drive.
- a and/or B in some embodiments describes an association relationship between associated objects and represents that three relationships exists.
- a and/or B represents the following three cases: A exists, both A and B exist, and B exists.
- the character “/” in some embodiments generally represents an “or” relationship between associated objects.
- Sequence numbers of the foregoing processes do not mean execution sequences in various some embodiments.
- the execution sequences of the processes are determined based on functions and internal logic of the processes. This is unable to be construed as any limitation on the implementation processes of some embodiments.
- the disclosed system, apparatus, and method is implemented in other manners.
- the described apparatus embodiment is an example.
- division into the units is a logical function division and is another division during implementation.
- a plurality of units or components are combined or integrated into another system, or some features are ignored or not performed.
- a displayed or discussed mutual coupling or direct coupling or communication connection is implemented through some interfaces.
- An indirect coupling or communication connection between apparatuses or units are implemented in electronic, mechanical, or other forms.
- the units described as separate components are or are not be physically separate, and components displayed as units are or are not be physical units, that is, is located at one position, or is distributed on a plurality of network units. Some or all of the units are selected based on an condition to achieve an objective of the solutions of the embodiments.
- functional units in some embodiments are integrated into one processing unit, each of the units exists alone physically, or two or more units are integrated into one unit.
- the functions are stored in a computer-readable storage medium. Based on such an understanding, the technical solutions of this application, or a part contributing to the conventional technology, or some of the technical solutions are embodied in a form of a software product.
- the computer software product is stored in a storage medium, and includes several instructions for enabling a computer device (which is a personal computer, a server, a network device, or the like) to perform all or some of the steps of the methods described in some embodiments.
- the foregoing storage medium includes any medium that stores a program code, such as a USB flash drive, a removable hard disk, a read-only memory (Read-Only Memory, ROM), a random access memory (Random Access Memory, RAM), a magnetic disk, or an optical disc.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
A man-in-the-middle detection method and apparatus. The method includes: A base station receives, in a first physical frame, a RRC message from user equipment UE; the base station receives from the UE a second RRC message including frame information of a second physical frame, and security protection is performed on the first RRC message and the second RRC message by using an access stratum AS security context established by the UE and the base station; and the base station determines whether the first physical frame matches the second physical frame. Thereby, whether a man-in-the-middle exists in air interface communication is determined by determining whether a physical frame in which the UE sends an uplink message matches a physical frame in which the base station receives the uplink message, to prevent the man-in-the-middle from bypassing detection through a mechanism of the man-in-the-middle and improve a man-in-the-middle detection rate.
Description
- This application is a continuation of International Application No. PCT/CN2020/124992, filed on Oct. 29, 2020, the disclosure of which is hereby incorporated in entirety by reference.
- In a wireless communication system, radio resource control (radio resource control, RRC) signaling or user plane data is sent between user equipment (user equipment, UE) and a base station. However, attackers deploys a false base station between the UE and the base station to eavesdrop, tamper with, forge, inject, and release an air interface message, causing a DoS attack to a terminal and a network.
- A man-in-the-middle is a type of false base station, including a false base station part function and a false UE part function. In response to UE being in an idle state, in response to the UE approaching a false base station, and detects that signal quality of a cell of the false base station is good and meets a cell reselection condition, the UE triggers a cell reselection process and camps on the cell of the false base station. In response to UE being in a connected state, in response to the UE approaching a false base station, and detects that signal quality of a cell of the false base station is good, the UE reports a measurement result to a serving cell. The serving cell triggers handover of the UE to the cell of the false base station, to enable the UE to camp on the cell of the false base station. The false UE part function is used to forward or modify communication data of real UE, access a real base station as the real UE, and communicate with an access and mobility management function (access and mobility management function, AMF) based on an N2 protocol. For a network side and a terminal side to perceive a man-in-the-middle is usually difficult.
- A current method for discovering a man-in-the-middle is usually as follows: A hash HASH value of a received master information block (master information block, MIB)/system information block (system information block, SIB) is calculated by UE, and the hash value of the MIB/SIB is carried in a measurement report (measurement report, MR)/logged MR to be reported to a real base station. The real base station calculates a hash value of the MIB/SIB and compares the hash value with the value reported by the UE; and in response to the two values being inconsistent, determines that a man-in-the-middle exists.
- However, in response to the man-in-the-middle completely imitating the MIB/SIB of the real base station, the method is unable to be used to detect the man-in-the-middle.
- Therefore, providing a man-in-the-middle detection method that prevents a man-in-the-middle from bypassing detection through a mechanism of the man-in-the-middle is an urgent problem to be resolved currently.
- Some embodiments provide a man-in-the-middle detection method and apparatus, to effectively improve an air interface man-in-the-middle detection rate and prevent a man-in-the-middle from bypassing a detection mechanism through technical means.
- In some embodiments, a man-in-the-middle detection method is provided. The method includes: A base station receives, in a first physical frame, a first radio resource control RRC message from user equipment UE; the base station receives a second RRC message from the UE, where the second RRC message includes frame information of a second physical frame, and security protection is performed on the first RRC message and the second RRC message by using an access stratum AS security context established by the UE and the base station; and the base station determines whether the first physical frame matches the second physical frame.
- In some embodiments the frame information of the second physical frame includes a frame number and a subframe number of the second physical frame.
- In some embodiments that the base station determines whether the first physical frame matches the second physical frame includes: In response to a frame number of the first physical frame being the same as the frame number of the second physical frame and a subframe number of the first physical frame is the same as the subframe number of the second physical frame, the base station determines that the first physical frame matches the second physical frame; otherwise, the base station determines that the first physical frame does not match the second physical frame.
- In some embodiments, after that a base station receives, in a first physical frame, a first radio resource control RRC message from UE, the method further includes: The base station stores frame information of the first physical frame.
- In some embodiments, before that a base station receives, in a first physical frame, a first radio resource control RRC message from UE, the method further includes: The base station establishes the AS security context with the UE.
- In some embodiments, before that a base station receives, in a first physical frame, a first RRC message from UE, the method further includes: The base station sends indication information to the UE, where the indication information indicates the UE to enable man-in-the-middle detection.
- In some embodiments, a man-in-the-middle detection method is provided. The method includes: User equipment UE sends, in a second physical frame, a first radio resource control RRC message to a base station; and the UE sends a second RRC message to the base station, where the second RRC message includes frame information of the second physical frame, and security protection is performed on the first RRC message and the second RRC message by using an access stratum AS security context established by the UE and the base station.
- In some embodiments, the frame information of the second physical frame includes a frame number and a subframe number of the second physical frame.
- In some embodiments, before that user equipment UE sends, in a second physical frame, a first radio resource control RRC message to a base station, the method further includes: The UE receives downlink control information DCI, where the DCI is used to determine the frame information of the second physical frame; and the UE stores the frame information of the second physical frame.
- In some embodiments, before that user equipment UE sends, in a second physical frame, a first radio resource control RRC message to a base station, the method further includes: The UE accesses the base station, and establishes the AS security context with the base station.
- In some embodiments, that user equipment UE sends, in a second physical frame, a first radio resource control RRC message to a base station includes: In response to a preset rule being met, the UE sends, in the second physical frame, the first RRC message to the base station.
- In some embodiments, the preset rule includes: The UE receives indication information sent by the base station, where the indication information indicates the UE to enable man-in-the-middle detection; or the UE determines that user plane integrity protection between the UE and the base station is not enabled.
- In some embodiments, a man-in-the-middle detection method is provided. The method includes: User equipment UE sends, in a third physical frame, a third radio resource control RRC message to a base station; the UE receives a fourth RRC message from the base station, where the fourth RRC message includes frame information of a fourth physical frame; the UE determines whether the third physical frame matches the fourth physical frame; and the UE sends a fifth RRC message to the base station, where the fifth RRC message indicates whether the third physical frame matches the fourth physical frame, and security protection is performed on the third RRC message, the fourth RRC message, and the fifth RRC message by using an access stratum AS security context established by the UE and the base station.
- In some embodiments, the frame information of the fourth physical frame includes a frame number and a subframe number of the fourth physical frame.
- In some embodiments, that the UE determines whether the third physical frame matches the fourth physical frame includes: In response to a frame number of the third physical frame being the same as the frame number of the fourth physical frame and a subframe number of the third physical frame is the same as the subframe number of the fourth physical frame, the UE determines that the third physical frame matches the fourth physical frame; otherwise, the UE determines that the third physical frame does not match the fourth physical frame.
- In some embodiments, before that user equipment UE sends, in a third physical frame, a third radio resource control RRC message to a base station, the method further includes: The UE receives downlink control information DCI, where the DCI is used to determine frame information of the third physical frame, and the frame information of the third physical frame includes the frame number and the subframe number of the third physical frame; and the UE stores the frame information of the third physical frame.
- In some embodiments, before that user equipment UE sends, in a third physical frame, a third radio resource control RRC message to a base station, the method further includes: The UE accesses the base station, and establishes the AS security context with the base station.
- In some embodiments, that user equipment UE sends, in a third physical frame, a third radio resource control RRC message to a base station includes: In response to a preset rule being met, the UE sends, in the second physical frame, the third RRC message to the base station.
- In some embodiments, the first preset rule includes: The UE receives indication information sent by the base station, where the indication information indicates the UE to enable man-in-the-middle detection; or the UE determines that user plane integrity protection between the UE and the base station is not enabled.
- In some embodiments, a man-in-the-middle detection method is provided. The method includes: A base station receives, in a fourth physical frame, a third RRC message from user equipment UE; the base station sends a fourth RRC message to the UE, where the fourth RRC message includes frame information of the fourth physical frame; the base station receives a fifth RRC message sent by the UE; and the base station determines, based on the fifth RRC message, whether a man-in-the-middle exists between the base station and the UE.
- In some embodiments, the fifth RRC message indicates whether a third physical frame matches the fourth physical frame, and the third physical frame is a physical frame in which the UE sends the third RRC message. That the base station determines, based on the fifth RRC message, whether a man-in-the-middle exists between the base station and the UE includes: In response to the third physical frame not matching the fourth physical frame, the base station determines that a man-in-the-middle exists between the base station and the UE; or in response to the third physical frame matching the fourth physical frame, the base station determines that no man-in-the-middle exists between the base station and the UE.
- In some embodiments, the frame information of the fourth physical frame includes a frame number and a subframe number of the fourth physical frame.
- In some embodiments, before that a base station receives, in a fourth physical frame, a third RRC message sent by user equipment UE, the method further includes: The base station establishes an AS security context with the UE.
- In some embodiments, before that a base station receives, in a fourth physical frame, a third RRC message from user equipment UE, the method further includes: The base station sends indication information to the UE, where the indication information indicates the UE to enable man-in-the-middle detection.
- In some embodiments, a man-in-the-middle detection apparatus is provided. The apparatus includes: a transceiver module, configured to receive, in a first physical frame, a first radio resource control RRC message from user equipment UE, where the transceiver module is further configured to receive a second RRC message from the UE, where the second RRC message includes frame information of a second physical frame, and security protection is performed on the first RRC message and the second RRC message by using an access stratum AS security context established by the UE and a base station; and a processing module, configured to determine whether the first physical frame matches the second physical frame.
- In some embodiments, the frame information of the second physical frame includes a frame number and a subframe number of the second physical frame.
- In some embodiments, the processing module is configured to: in response to a frame number of the first physical frame being the same as the frame number of the second physical frame and a subframe number of the first physical frame is the same as the subframe number of the second physical frame, determine, by the base station, that the first physical frame matches the second physical frame; otherwise, determine, by the base station, that the first physical frame does not match the second physical frame.
- In some embodiments, the processing module is further configured to store frame information of the third physical frame.
- In some embodiments, the processing module is further configured to establish the AS security context with the UE.
- In some embodiments, the transceiver module is further configured to send indication information to the UE, where the indication information indicates the UE to enable man-in-the-middle detection.
- In some embodiments, a man-in-the-middle detection apparatus is provided. The apparatus includes a transceiver module, configured to send, in a second physical frame, a first radio resource control RRC message to a base station. The transceiver module is further configured to send a second RRC message to the base station. The second RRC message includes frame information of the second physical frame, and security protection is performed on the first RRC message and the second RRC message by using an access stratum AS security context established by UE and the base station.
- In some embodiments, the frame information of the second physical frame includes a frame number and a subframe number of the second physical frame.
- In some embodiments, the transceiver module is further configured to receive downlink control information DCI, where the DCI is used to determine the frame information of the second physical frame. The apparatus further includes a processing module, where the processing module is configured to store the frame information of the second physical frame.
- In some embodiments, the processing module is further configured to access the base station and establish the AS security context with the base station.
- In some embodiments, the transceiver module is configured to: in response to a preset rule being met, send, by the UE in the second physical frame, the first RRC message to the base station.
- In some embodiments, the preset rule includes: The UE receives indication information sent by the base station, where the indication information indicates the UE to enable man-in-the-middle detection; or the UE determines that user plane integrity protection between the UE and the base station is not enabled.
- In some embodiments, a man-in-the-middle detection apparatus is provided. The apparatus includes: a transceiver module, configured to send, in a third physical frame, a third radio resource control RRC message to a base station. The transceiver module is further configured to receive a fourth RRC message from the base station, where the fourth RRC message includes frame information of a fourth physical frame; and the transceiver module is further configured to send a fifth RRC message to the base station, where the fifth RRC message indicates whether the third physical frame matches the fourth physical frame, and security protection is performed on the third RRC message, the fourth RRC message, and the fifth RRC message by using an access stratum AS security context established by UE and the base station.
- In some embodiments, the frame information of the fourth physical frame includes a frame number and a subframe number of the fourth physical frame.
- In some embodiments, the processing module is configured to: in response to a frame number of the third physical frame being the same as the frame number of the fourth physical frame and a subframe number of the third physical frame is the same as the subframe number of the fourth physical frame, determine, by the UE, that the third physical frame matches the fourth physical frame; otherwise, determine, by the UE, that the third physical frame does not match the fourth physical frame.
- In some embodiments, the transceiver module is further configured to receive downlink control information DCI, where the DCI is used to determine frame information of the third physical frame, and the frame information of the third physical frame includes the frame number and the subframe number of the third physical frame.
- The processing module is further configured to store the frame information of the third physical frame.
- In some embodiments, the processing module is further configured to access the base station and establish the AS security context with the base station.
- In some embodiments, the first preset rule includes:
- The UE receives indication information sent by the base station, where the indication information indicates the UE to enable man-in-the-middle detection; or the UE determines that user plane integrity protection between the UE and the base station is not enabled.
- In some embodiments, a man-in-the-middle detection apparatus is provided. The apparatus includes: a transceiver module, configured to receive, in a fourth physical frame, a third RRC message from user equipment UE, where the transceiver module is further configured to send a fourth RRC message to the UE, where the fourth RRC message includes frame information of the fourth physical frame; and the transceiver module is further configured to receive a fifth RRC message sent by the UE; and a processing module, configured to determine, based on the fifth RRC message, whether a man-in-the-middle exists between a base station and the UE.
- In some embodiments, the fifth RRC message indicates whether a third physical frame matches the fourth physical frame, and the third physical frame is a physical frame in which the UE sends the third RRC message. The processing module is configured to: in response to the third physical frame not matching the fourth physical frame, determine that the man-in-the-middle exists between the base station and the UE; or in response to the third physical frame matching the fourth physical frame, determine that no man-in-the-middle exists between the base station and the UE.
- In some embodiments, the frame information of the fourth physical frame includes a frame number and a subframe number of the fourth physical frame.
- In some embodiments, the processing module is further configured to establish an AS security context with the UE.
- In some embodiments, the transceiver module is further configured to send indication information to the UE, where the indication information indicates the UE to enable man-in-the-middle detection.
- In some embodiments, a communication apparatus is provided. The apparatus includes a processor, configured to execute a computer program stored in a memory, to enable the communication apparatus to perform the communication method in any one of the embodiments.
- In some embodiments, a computer-readable storage medium is provided. The computer-readable storage medium stores a computer program. In response to the computer program being run on a computer, the computer is enabled to perform the communication method in any one of the embodiments.
- In some embodiments, a chip system is provided. The chip system includes a processor, configured to invoke a computer program from a memory and run the computer program, to enable the communication device installed with the chip system to perform the communication method in any one of the embodiments.
-
FIG. 1 is an example diagram of a system architecture, in accordance with some embodiments; -
FIG. 2 is an architectural diagram of working of a man-in-the-middle according to some embodiments; -
FIG. 3 is a schematic interaction diagram of an example of a man-in-the-middle detection method according to some embodiments; -
FIG. 4 is a schematic diagram of message transmission between user equipment and a base station according to some embodiments; -
FIG. 5 is a schematic interaction diagram of another example of a man-in-the-middle detection method according to some embodiments; -
FIG. 6 is a schematic interaction diagram of another example of a man-in-the-middle detection method according to some embodiments; -
FIG. 7 is a schematic interaction diagram of another example of a man-in-the-middle detection method according to some embodiments; -
FIG. 8 is a schematic block diagram of an example of user equipment according to some embodiments; -
FIG. 9 is a schematic block diagram of an example of a base station according to some embodiments; -
FIG. 10 is a schematic block diagram of another example of user equipment according to some embodiments; -
FIG. 11 is a schematic block diagram of another example of a base station according to some embodiments; -
FIG. 12 is a schematic block diagram of an example of a communication apparatus according to some embodiments; -
FIG. 13 is a schematic block diagram of another example of a communication apparatus according to some embodiments; and -
FIG. 14 is a schematic diagram of a structure of a terminal device according to some embodiments. - The following describes technical solutions with reference to the accompanying drawings in the discussed embodiments.
- The technical solutions in some embodiments are applied to various communication systems, for example, a long term evolution (long term evolution, LTE) system, an LTE frequency division duplex (frequency division duplex, FDD) system, an LTE time division duplex (time division duplex, TDD), a universal mobile telecommunications system (universal mobile telecommunications system, UMTS), and a new radio (new radio, NR) system.
- The following describes a structure of a communication system in some embodiments with reference to
FIG. 1 . As shown inFIG. 1 , the communication system includes but is not limited to the following network elements. - 1. User equipment (user equipment, UE)
- The UE in some embodiments further are referred to as a mobile station (mobile station, MS), a mobile terminal (mobile terminal, MT), an access terminal, a subscriber unit, a subscriber station, a mobile station, a remote station, a remote terminal, a mobile device, a user terminal, a terminal, a wireless communication device, a user agent, a user apparatus, and the like.
- The UE is a device that provides a voice/data connectivity for a user, for example, a handheld device or a vehicle-mounted device that has a wireless connection function. Currently, examples of some terminals are a mobile phone (mobile phone), a tablet computer, a laptop computer, a palmtop computer, a mobile internet device (mobile internet device, MID), a wearable device, a virtual reality (virtual reality, VR) device, an augmented reality (augmented reality, AR) device, a wireless terminal in industrial control (industrial control), a wireless terminal in self-driving (self-driving), a wireless terminal in remote medical surgery (remote medical surgery), a wireless terminal in a smart grid (smart grid), a wireless terminal in transportation safety (transportation safety), a wireless terminal in a smart city (smart city), a wireless terminal in a smart home (smart home), a cellular phone, a cordless telephone set, a session initiation protocol (session initiation protocol, SIP) phone, a wireless local loop (wireless local loop, WLL) station, a personal digital assistant (personal digital assistant, PDA), a handheld device having a wireless communication function, a calculating device or another processing device connected to a wireless modem, a vehicle-mounted device, a wearable device, UE in a future 5G network, or UE in a future evolved public land mobile network (public land mobile network, PLMN). This is not limited in some embodiments.
- By way of example, and not limitation, in some embodiments, the UE alternatively is a wearable device. The wearable device further is referred to as a wearable intelligent device, and is a general term of a wearable device that is intelligently designed and developed for daily wear by using a wearable technology, for example, glasses, gloves, a watch, clothing, and shoes. The wearable device is a portable device that is directly worn on a body or integrated into clothes or an accessory of a user. The wearable device is not a hardware device, but further implements a powerful function through software support, data exchange, and cloud interaction. A generalized wearable intelligent device includes a full-featured and large-size device that implements complete or partial functions without depending on a smartphone, such as a smart watch or smart glasses, and a device that focuses on one type of application functions and works with another device such as a smartphone, for example, various smart bands or smart jewelry for monitoring a physical sign.
- In addition, in some embodiments, the UE alternatively is UE in an internet of things (Internet of things, IoT) system. An IoT is a part of future information technology development. A main technical feature of the IoT is that an article is connected to a network by using a communication technology, to implement an intelligent network for human-machine interconnection and thing-thing interconnection.
- In some embodiments, the IoT technology implements massive connections, in-depth coverage, and terminal power saving by using, for example, a narrow band (narrow band) NB technology. For example, an NB includes one resource block (resource block, RB). In other words, a bandwidth of the NB is 180 KB. To implement massive access, a terminal performs discrete access. According to a communication method in some embodiments, a congestion problem that occurs in the IoT technology in response to massive terminals accessing a network through the NB is effectively resolved.
- In addition, in some embodiments, the UE further communicates with UE in another communication system. For example, the UEs perform inter-device communication. For example, the UE further transmits (for example, send and/or receive) a time synchronization packet with UE in another communication system.
- 2. Base Station
- In addition, the base station in some embodiments are a device configured to communicate with UE. The base station further is referred to as an access network device or a radio access network device. For example, the base station is an evolved NodeB (evolved NodeB, eNB or eNodeB) in an LTE system, or a radio controller in a cloud radio access network (cloud radio access network, CRAN) scenario. Alternatively, the base station is a relay station, an access point, a vehicle-mounted device, a wearable device, a base station in a future 5G network, a base station in a future evolved PLMN network, an access point (access point, AP) in a WLAN, or a gNB in a new radio (new radio, NR) system. This is not limited in some embodiments.
- In addition, in some embodiments, the base station is a device in a RAN, that is, a RAN node that enables UE to access a wireless network. For example, by way of example, and not limitation, the base station is a gNB, a transmission reception point (transmission reception point, TRP), an evolved NodeB (evolved NodeB, eNB), a radio network controller (radio network controller, RNC), a NodeB (NodeB, NB), a base station controller (base station controller, BSC), a base transceiver station (base transceiver station, BTS), a home base station (such as a home evolved NodeB, or home NodeB, HNB), or a base band unit (base band unit, BBU). In a network structure, a network device includes a central unit (central unit, CU) node, a distributed unit (distributed unit, DU) node, a RAN device including a CU node and a DU node, or a RAN device including a CU control plane node (CU-CP node), a CU user plane node (CU-UP node), and a DU node.
- The base station serves a cell. UE communicates with the base station by using a transmission resource (for example, a frequency domain resource or a spectrum resource) used for the cell. The cell is a cell corresponding to the base station (for example, the base station). The cell belongs to a macro base station, or a base station corresponding to a small cell (small cell). The small cell herein includes a metro cell (metro cell), a micro cell (micro cell), a pico cell (pico cell), a femto cell (femto cell), or the like. These small cells have features of small coverage and low transmit power, and are applicable to providing a high-speed data transmission service.
- In addition, a plurality of cells simultaneously operates in a same frequency on a carrier in an LTE system or a 5G system. In some embodiments, a concept of the carrier is equivalent to that of the cell. For example, in a carrier aggregation (carrier aggregation, CA) scenario, in response to a secondary component carrier being configured for UE, a carrier index of the secondary component carrier and a cell identifier (cell identifier, Cell ID) of a secondary cell working on the secondary component carrier are both carried. In some embodiments, the concept of the carrier is equivalent to that of the cell. For example, for UE, accessing a carrier is equivalent to accessing a cell.
- 3. Access Management Function Entity
- The access management function entity is mainly configured to perform mobility management, access management, and the like, and is configured to implement functions other than a session management function in functions of a mobility management entity (mobility management entity, MME) in an LTE system, for example, functions such as lawful interception and access authorization/authentication.
- In a 5G communication system, an access management network element is an access management function (access and mobility management function, AMF) entity.
- In a future communication system, the access management function entity still is an AMF entity, or has another name. This is not limited in some embodiments.
- In some embodiments, the entities or the functions are network elements in a hardware device, is software functions run on dedicated hardware, or is virtualized functions instantiated on a platform (for example, a cloud platform).
- The foregoing network elements or entities included in the communication system are examples for descriptions. This is not particularly limited in some embodiments.
-
FIG. 2 is an architectural diagram of working of a man-in-the-middle. In some embodiments, fromFIG. 2 the man-in-the-middle includes a false base station part and a false UE part. The false base station part is configured to attract UE to camp on a man-in-the-middle cell, and the false UE part is configured to access a real base station, and forward or modify communication data of real UE. An AMF network element is a network element that is mainly responsible for access and mobility management. A base station (a gNB inFIG. 2 ) and the AMF are connected through an N2 interface. The interface is similar to an S1 interface, and transmits a message exchanged between a RAN and the AMF. UE communicates with the AMF through an N1/NAS interface to transmit a message exchanged between the UE and the AMF. Usually, the RAN forwards the message to the AMF. The UE and the base station are connected through a Uu interface, and the UE and the base station sends RRC signaling and user plane data. The base station is connected to the AMF through the N2 interface, and the base station communicates with the AMF based on an N2 protocol. - Such a man-in-the-middle eavesdrops, tamper with, forge, inject, and release an air interface message, causing a DoS attack to a terminal and a network. For a network side and a terminal side to perceive a man-in-the-middle is usually difficult.
- For ease of description, the following first describes a physical frame in air interface communication by using a frame structure in an LTE system and an NR system as an example.
- The physical frame usually refers to a protocol data unit at a data link layer. The physical frame includes several parts that perform different functions. The frame structure refers to frames that forms different repetition periodicities based on different transmitted information. To meet a condition of uplink and downlink time conversion in time division multiplexing, in TD-LTE, a dedicated radio frame structure is designed. In TD-LTE time domain, there are two types of frame structures for periodic simultaneous transmission with a quantity of uplink and downlink subframes in a standard configuration: a radio frame and a half-frame. Duration of the radio frame is 10 ms, and duration of the half-frame is 5 ms. One radio frame includes two half-frames. Each half-frame includes five subframes whose duration is 1 ms, each subframe includes two slots whose duration is 0.5 ms, and each slot includes six or seven CP+OFDM symbols based on different cyclic prefix CP duration.
- Compared with a fixed 4G frame structure, the most distinctive feature of a 5G frame structure is flexibility and variability. A 5G frame uses a hierarchical structure and includes two parts: a fixed architecture and a flexible architecture. The fixed architecture is the same as that in 4G, and includes a radio frame whose duration is 10 ms and a subframe whose duration is 1 ms. Each frame is divided into two half-frames. The first half-frame includes subframes 0 to 4, and the second half-frame includes subframes 5 to 9. Each subframe includes several slots.
- In an LTE system or an NR system, a system frame number (system frame number, SFN) ranges from 0 to 1023, that is, a data sending periodicity is 1024 frames. A subframe number ranges from 0 to 9, that is, a sending periodicity of a part of control information is 10 subframes.
- The following describes in detail a man-in-the-middle detection method in some embodiments with reference to
FIG. 3 toFIG. 7 . -
FIG. 3 is a schematic flowchart of a man-in-the-middle detection method 100 according to some embodiments. FromFIG. 3 the method 100 includes the following steps. - S110: A base station receives, in a first physical frame, a first RRC message sent by UE.
- S120: The base station receives a second RRC message sent by the UE, where the second RRC message includes frame information of a second physical frame.
- S130: The base station determines whether the first physical frame matches the second physical frame.
- After successfully establishing an AS security context with the UE, the base station receives, in the first physical frame, the first RRC message from the UE. Then, the base station receives the second RRC message on which security protection is performed from the UE. The UE provides the frame information of the second physical frame for the base station by using the second RRC message. The frame information of the second physical frame is a physical frame in which the UE sends the first RRC message. In response to a man-in-the-middle attack existing, air interface communication between the base station and the UE is intercepted by the man-in-the-middle. An air interface between the UE and a false base station and an air interface between false UE and the base station are independent of each other, that is, the base station is unable to directly receive the first RRC message sent by the UE. The man-in-the-middle receives the first RRC message through the false base station, and forwards the first RRC message to the base station through the false UE. Security protection is performed on the first RRC message by using an access stratum security context established by the UE and the base station. Therefore, the man-in-the-middle is unable to crack or tamper with the first RRC message. After the man-in-the-middle attack occurs between the UE and the base station, a physical frame in which the UE sends an uplink message is unable to be consistent with a physical frame in which the base station receives the uplink message. Therefore, in response to the first physical frame matching the second physical frame, the base station determines that no man-in-the-middle exists between the UE and the base station. In response to the first physical frame not matching the second physical frame, the base station determines that a man-in-the-middle exists between the UE and the base station.
- Therefore, according to the man-in-the-middle detection method in some embodiments, whether the man-in-the-middle exists in the air interface communication is determined by determining whether the physical frame in which the UE sends the uplink message matches the physical frame in which the base station receives the uplink message, to prevent the man-in-the-middle from bypassing detection through a mechanism of the man-in-the-middle and improve a man-in-the-middle detection rate.
- According to the method 100, a basis of the man-in-the-middle detection method in some embodiments is as follows: In response to the man-in-the-middle attack existing between the UE and the base station, the physical frame in which the UE sends the uplink message is unable to match the physical frame in which the base station receives the uplink message. In other words, frame information of the physical frame in which the UE sends the uplink message is inconsistent with frame information of the physical frame in which the base station receives the uplink message. For example, in an uplink scheduling request mechanism shown in
FIG. 4 , in response to the man-in-the-middle existing between the UE and the base station, an uplink message, for example, the first RRC message, sent by the UE to the base station is unable to be directly received by the base station. The base station receives the first RRC message transparently transmitted by the man-in-the-middle. In this case, frame information of a physical frame in which the man-in-the-middle sends the uplink message through false UE is unable to be consistent with frame information of a physical frame in which real UE sends the uplink message. The process 200 shown inFIG. 4 includes the following steps. - S210: The UE sends a first scheduling request (scheduling request, SR) to the man-in-the-middle.
- In response to the man-in-the-middle attack existing, the UE and the base station are indirectly connected through the man-in-the-middle, that is, the man-in-the-middle establishes connections to the real UE and a real base station separately through the false base station and the false UE. After the connections are established, the UE sends the first SR to the false base station to apply for an uplink transmission resource.
- S220: The man-in-the-middle sends first downlink control information (downlink control information, DCI) to the UE.
- After receiving the first SR sent by the UE, the man-in-the-middle sends the first DCI to the UE, and indicates an appropriate available resource to the UE by using the first DCI.
- S230: The UE sends the first RRC message to the man-in-the-middle.
- The UE receives the first DCI sent by the man-in-the-middle, determines a physical frame a based on the first DCI, and sends the first RRC message to the man-in-the-middle in the physical frame a.
- For example, after receiving the first DCI in a subframe n, the UE sends the first RRC message to the man-in-the-middle in a subframe n+x. A physical frame in which the subframe n+x is located is the physical frame a. In some embodiments, in an LTE system, x is a value described in a protocol, and in a unified configuration, the value of x is fixed. For example, in a frequency division duplex (frequency division duplex, FDD) scenario, the value of x is fixed to 4. For details, refer to chapter 8 of the protocol 3GPP TS 36.213. For another example, in an NR system, the UE receives the first DCI, where the first DCI carries an information parameter, and the UE determines the value of x based on the information parameter. For a determination method, refer to chapter 6 of the protocol 3GPP TS 38.214.
- S240: The man-in-the-middle sends the first SR to the base station.
- After receiving the first SR sent by the UE in step S210, the man-in-the-middle reports the first SR to the real base station through the false UE.
- S250: The base station sends second DCI to the man-in-the-middle.
- After receiving the first SR sent by the false UE, the base station sends the second DCI to the man-in-the-middle to indicate an appropriate available resource for the false UE.
- S260: The man-in-the-middle sends the first RRC message to the base station.
- The man-in-the-middle receives the second DCI sent by the base station, determines a physical frame b based on the second DCI, and sends the first RRC message to the base station in the physical frame b.
- In some embodiments, the physical frame a is a time domain resource location indicated by the man-in-the-middle for the UE, and the physical frame b is a time domain resource location indicated by the base station for the man-in-the-middle. Because the man-in-the-middle is unable to predict a location of the physical frame b indicated by the base station, the physical frame a is unable to match the physical frame b. Therefore, in response to the man-in-the-middle attack existing, the physical frame in which the UE sends the uplink message is unable to match the physical frame in which the base station receives the uplink message.
-
FIG. 5 is a schematic flowchart of a man-in-the-middle detection method 300 according to some embodiments in response to a man-in-the-middle attack existing between UE and a base station. FromFIG. 5 the method 300 includes the following steps. - S310: The UE establishes an AS security context with the base station.
- The UE accesses the base station, that is, the UE establishes an indirect connection to the base station through the man-in-the-middle, and then the UE establishes the access stratum AS security context with the base station. In some embodiments, after the UE establishes the AS security context with the base station, security protection is performed on RRC messages, and the man-in-the-middle is unable to tamper with the RRC message sent between the UE and the base station. In some embodiments, the security protection includes RRC integrity protection and RRC confidentiality protection. The RRC integrity protection ensures that the RRC message is not tampered with in a transmission process, and the RRC confidentiality protection ensures that information content of the RRC message is not disclosed in the transmission process.
- S320: The man-in-the-middle sends third DCI to the UE, where the third DCI is used to determine a physical frame p for sending the RRC message by the UE.
- In some embodiments, before S320, the UE sends a buffer status report (buffer status report, BSR) to the man-in-the-middle to indicate a data volume of an uplink buffer, and then the man-in-the-middle sends the third DCI to the UE to allocate an appropriate available resource to the UE. The UE determines the physical frame p based on the third DCI. For example, in an NR system, the UE receives the third DCI in a physical frame c, a frame number and a subframe number of the physical frame c are 10 and 6 respectively, and time indicated by the physical frame c is 10*10+6=106. The third DCI carries an information parameter. The UE obtains, through calculation based on the information parameter, that a value of x is 2, and time indicated by a physical frame e is 106+2=108. Therefore, a frame number and a subframe number of the physical frame e are 10 and 8 respectively.
- Optionally, after determining the physical frame p based on the third DCI, the UE stores frame information of the physical frame p, where the frame information of the physical frame p includes a frame number and a subframe number of the physical frame p.
- In some embodiments, before step S320, in response to a first preset rule being met, the UE enables man-in-the-middle detection. The enabling man-in-the-middle detection means that the UE performs the method mentioned in some embodiments. For example, the enabling man-in-the-middle detection includes: The UE sends a first physical frame query request message and a second physical frame query request message that carries the frame information of the physical frame p.
- The first preset rule includes: The UE receives indication information from the base station, where the indication information indicates the UE to enable man-in-the-middle detection; or the UE determines that user plane integrity protection between the UE and the base station is not enabled. In some embodiments, in response to the user plane integrity protection not being enabled, there is a risk of tampering with user plane data between the UE and the base station. In this case, in response to the man-in-the-middle existing, authenticity of the user plane data is unable to be ensured. Therefore, the man-in-the-middle detection is enabled.
- Optionally, in response to a second preset rule being met, the base station sends indication information to the UE to indicate the UE to enable the man-in-the-middle detection. The second preset rule is, for example, that a key performance indicator (key performance indicator, KPI) is greater than a second threshold.
- S330: The UE sends the first physical frame query request message to the man-in-the-middle.
- The UE sends, in the physical frame p, the first physical frame query request message that is carried in the RRC message, to perform man-in-the-middle detection. Security protection is performed on the message, and therefore the message is unable to be tampered with by the man-in-the-middle.
- In some embodiments, the first physical frame query request message is an empty RRC message.
- S340: The base station sends fourth DCI to the man-in-the-middle, where the fourth DCI is used to determine a physical frame q.
- In some embodiments, before S340, the man-in-the-middle sends the BSR to the base station through false UE, to indicate the data volume of the uplink buffer, and then the base station sends the fourth DCI to the man-in-the-middle, where the fourth DCI is used to determine the physical frame q.
- S350: The base station stores frame information of the physical frame q.
- Optionally, after indicating the physical frame q to the man-in-the-middle by using the fourth DCI, the base station stores the frame information of the physical frame q.
- S360: The man-in-the-middle sends the first physical frame query request message to the base station.
- The man-in-the-middle receives, in the physical frame p, the first physical frame query request message sent by the UE. Security protection is performed on the first physical frame query request message by using the AS security context established by the UE and the base station, and therefore the man-in-the-middle is unable to tamper with the first physical frame query request message, and is transparently transmitted to the base station. Therefore, the man-in-the-middle sends, in the physical frame q indicated by the base station for the man-in-the-middle, the first physical frame query request message to the base station.
- S370: The base station continues to store the frame information of the physical frame q.
- After receiving, in the physical frame q, the first physical frame query request message forwarded by the man-in-the-middle, the base station locally records the frame information of the physical frame q, where the frame information of the physical frame q includes a frame number and a subframe number of the physical frame q.
- Optionally, in response to the first physical frame query request message including indication information, for example, the first physical frame query request message is an RRC message for enabling the man-in-the-middle detection, or the first RRC message includes indication information (for example, an indication bit is carried in an existing measurement report, and the indication bit optionally indicates to enable the man-in-the-middle detection), the base station continues to retain the frame information of the physical frame q or restores the frame information of the physical frame q.
- Optionally, the base station determines, based on the first RRC message, that a terminal enables the man-in-the-middle detection.
- In some embodiments, a feature that the base station continues to retain the frame information of the physical frame q is applied to another embodiment in which information about a physical frame is retained. This is not limited in some embodiments.
- Optionally, in an NR system, the frame information of the physical frame q further includes a slot number of the physical frame q. In the NR system, in response to a subframe including a plurality of slots, the base station (or false base station) indicates, to the UE by using DCI, the frame number, the subframe number, and the slot number of the physical frame q.
- S380: The UE sends the second physical frame query request message to the man-in-the-middle.
- After sending, in the physical frame p, the first physical frame query request message to the man-in-the-middle, the UE sends the second physical frame query request message on which security protection is performed to the man-in-the-middle, where the second physical frame query request message includes the frame information of the physical frame p. In some embodiments, after determining to enable the man-in-the-middle detection, the UE includes the frame information of the physical frame p in the second physical frame query request message for the man-in-the-middle detection. In some embodiments, the second RRC message is sent to perform a man-in-the-middle detection procedure, so that the base station determines, based on the information about the physical frame carried in the second physical frame query request message, whether the man-in-the-middle exists.
- In some embodiments, because the first physical frame query request message is an RRC layer message, in response to the message being encoded and constructed at an RRC layer, a physical frame in which the message is sent is unable to be determined. After the first physical frame query request message is encoded, the first physical frame query request message enters a buffer queue. The UE reports the buffer status report to the base station. Then, the base station schedules the UE in a unified manner. After obtaining a resource, the UE uses the resource for message sending. There is a possibility of retransmission in message sending, and that current sending is definitely successful during sending is unable to be ensured. Therefore, the first physical frame query request message is unable to carry the frame information of the physical frame p.
- S390: The man-in-the-middle sends the second physical frame query request message to the base station.
- The man-in-the-middle receives the second physical frame query request message sent by the UE. However, because the second physical frame query request message is sent by the UE based on the AS security context, the man-in-the-middle is unable to crack or tamper with the second physical frame query request message, and transparently transmits the second physical frame query request message to the base station.
- S311: The base station determines whether the physical frame p matches the physical frame q.
- After receiving the second physical frame request message transparently transmitted by the man-in-the-middle, the base station extracts the frame number and the subframe number of the physical frame p that are carried in the second physical frame query request message, and compares the frame number and the subframe number with the frame number and the subframe number of the physical frame q that are locally recorded and stored. In response to the frame number of the physical frame p being the same as the frame number of the physical frame q and the subframe number of the physical frame p is the same as the subframe number of the physical frame q, the physical frame p matches the physical frame q, and no man-in-the-middle exists between the UE and the base station. Otherwise, the physical frame p does not match the physical frame q, and the man-in-the-middle exists between the UE and the base station.
- Optionally, in the NR system, in response to a slot number of a physical frame being considered, the second physical frame query request message carries the frame number, the subframe number, and a slot number of the physical frame p, and compares the frame number, the subframe number, and the slot number with the frame number, the subframe number, and the slot number of the physical frame q that are locally recorded. In response to the frame number, the subframe number, and the slot number of the physical frame p being respectively the same as the frame number, the subframe number, and the slot number of the physical frame q, the physical frame p matches the physical frame q, and no man-in-the-middle exists between the UE and the base station. Otherwise, the physical frame p does not match the physical frame q, and the man-in-the-middle exists between the UE and the base station.
- Optionally, after determining that the man-in-the-middle exists, the base station issues a warning or take a preventive measure.
- Therefore, according to the man-in-the-middle detection method in some embodiments, man-in-the-middle detection is performed based on that a physical frame in which the man-in-the-middle sends an uplink message through the false UE is unable to be consistent with a physical frame in which real UE sends the uplink message, to prevent the man-in-the-middle from bypassing detection through a mechanism of the man-in-the-middle and improve a man-in-the-middle detection rate.
-
FIG. 6 is a schematic flowchart of another man-in-the-middle detection method 400 according to some embodiments. FromFIG. 6 method 400 includes the following steps. - S410: UE sends, in a third physical frame, a third RRC message to a base station.
- S420: The UE receives a fourth RRC message sent by the base station, where the fourth RRC message includes frame information of a fourth physical frame.
- S430: The UE determines whether the third physical frame matches the fourth physical frame.
- S440: The UE sends a fifth RRC message to the base station, where the fifth RRC message indicates whether the third physical frame matches the fourth physical frame.
- After successfully establishing an AS security context with the base station, the UE sends, in the third physical frame, the third RRC message on which security protection is performed to the base station, where the third physical frame is a time domain resource specified by the base station (or false base station) for the UE. Security protection is performed on the third RRC message by using the access stratum AS security context established by the UE and the base station. Therefore, a man-in-the-middle is unable to crack or tamper with the third RRC message. In response to a man-in-the-middle attack existing, air interface communication between the UE and the base station is intercepted by the man-in-the-middle. An air interface between the UE and the false base station and an air interface between false UE and the base station are independent of each other, that is, the base station is unable to directly receive the third RRC message sent by the UE. The man-in-the-middle receives the third RRC message through the false base station and forwards the third RRC message to the base station through the false UE. The base station receives, in the fourth physical frame, the third RRC message, and sends the fourth RRC message on which security protection is performed to the UE, where the fourth RRC message includes the frame information of the fourth physical frame. The UE receives the fourth RRC message, obtains the frame information of the fourth physical frame by using the fourth RRC message, and determines whether the third physical frame matches the fourth physical frame. After the man-in-the-middle attack occurs between the UE and the base station, a physical frame in which the UE sends an uplink message is unable to be consistent with a physical frame in which the base station receives the uplink message. Therefore, in response to the third physical frame matching the fourth physical frame, the UE determines that no man-in-the-middle exists between the UE and the base station. In response to the third physical frame not matching the fourth physical frame, the UE determines that the man-in-the-middle exists between the UE and the base station. Then, the UE sends a fifth RRC message to the base station, where the fifth RRC message indicates whether the third physical frame matches the fourth physical frame.
- Therefore, according to the man-in-the-middle detection method in some embodiments, whether the man-in-the-middle exists in the air interface communication is determined by determining whether the physical frame in which the UE sends the uplink message matches the physical frame in which the base station receives the uplink message, to prevent the man-in-the-middle from bypassing detection through a mechanism of the man-in-the-middle and improve a man-in-the-middle detection rate.
-
FIG. 7 shows a schematic flowchart of a man-in-the-middle detection method 500 according to some embodiments in response to a man-in-the-middle attack existing between UE and a base station. FromFIG. 7 method 500 includes the following steps. - S510: The UE establishes an AS security context with the base station.
- The UE accesses the base station, that is, the UE establishes an indirect connection to the base station through the man-in-the-middle, and then the UE establishes the access stratum AS security context with the base station. In some embodiments, after the UE establishes the AS security context with the base station, security protection is performed on RRC messages, and the man-in-the-middle is unable to tamper with the RRC message sent between the UE and the base station.
- S520: The man-in-the-middle sends fifth DCI to the UE, where the fifth DCI is used to determine a physical frame in which the UE sends an RRC message.
- In some embodiments, before S520, the UE sends a buffer status report (buffer status report, BSR) to the man-in-the-middle to indicate a data volume of an uplink buffer, and then the man-in-the-middle sends the fifth DCI to the UE to allocate an appropriate available resource to the UE. The UE determines a physical frame e based on the fifth DCI.
- Optionally, the UE locally records frame information of the physical frame e, where the frame information of the physical frame e includes a frame number and a subframe number of the physical frame e.
- In some embodiments, before step S520, in response to a first preset rule being met, the UE enables man-in-the-middle detection. The enabling man-in-the-middle detection means that the UE performs the method mentioned in some embodiments. For example, the enabling man-in-the-middle includes: The UE sends a physical frame query request message and stores the frame information of the physical frame e.
- The first preset rule includes: The UE receives indication information from the base station, where the indication information indicates the UE to enable man-in-the-middle detection; or the UE determines that user plane integrity protection between the UE and the base station is not enabled.
- Optionally, in response to a second preset rule being met, the base station sends indication information to the UE to indicate the UE to enable the man-in-the-middle detection. The second preset rule is, for example, that a key performance indicator (key performance indicator, KPI) is greater than a second threshold.
- S530: The UE sends the physical frame query request message to the man-in-the-middle.
- The UE sends, in the physical frame e, the physical frame query request message that is carried in the RRC message, to perform man-in-the-middle detection. Security protection is performed on the message by using the access stratum AS security context established between the UE and the base station, and therefore the message is unable to be tampered with by the man-in-the-middle.
- In some embodiments, the physical frame query request message is an empty RRC message.
- S540: The base station sends sixth DCI to the man-in-the-middle, where the sixth DCI is used to determine a physical frame for the man-in-the-middle to perform RRC communication.
- Optionally, before S540, the man-in-the-middle sends the buffer status report (buffer status report, BSR) to the base station to indicate the data volume of an uplink buffer. Then, the man-in-the-middle sends the fifth DCI to the UE to allocate an appropriate available resource to the UE. The UE determines a physical frame f based on the sixth DCI.
- S550: The man-in-the-middle sends the physical frame query request message to the base station.
- In S530, the man-in-the-middle receives the physical frame query request message sent by the UE. Because security protection is performed on the message, the man-in-the-middle is unable to tamper with the message. Therefore, the man-in-the-middle forwards, in the physical frame f indicated by the base station to the man-in-the-middle, the physical frame query request message to the base station.
- S560: The base station sends a physical frame query response message to the man-in-the-middle.
- After receiving, in the physical frame f, the physical frame query request message transparently transmitted by the man-in-the-middle, the base station sends the physical frame query response message on which security protection is performed to the false UE. The physical frame query response message carries frame information of the physical frame f, where the frame information of the physical frame f includes a frame number and a subframe number of the physical frame f.
- S570: The man-in-the-middle sends the physical frame query response message to the UE.
- After receiving the physical frame query response message sent by the base station, the man-in-the-middle forwards the physical frame query response message to the UE through the false base station.
- S580: The UE determines whether the physical frame e matches the physical frame f.
- After receiving the physical frame query response message sent by the false base station, the UE extracts the frame number and the subframe number of the physical frame f that are carried in the physical frame query response message, and compare the frame number and the subframe number with the frame number and the subframe number of the physical frame e that are locally recorded and stored in response to the physical frame query request message being successfully sent. In response to the frame number of the physical frame e being the same as the frame number of the physical frame f and the subframe number of the physical frame e is the same as the subframe number of the physical frame f, the physical frame e matches the physical frame f, and no man-in-the-middle exists between the UE and the base station. Otherwise, the physical frame e does not match the physical frame f, and the man-in-the-middle exists between the UE and the base station.
- S590: The UE sends a physical frame query indication message to the base station.
- After determining whether the physical frame e matches the physical frame f, the UE sends the physical frame query indication message on which security protection is performed to the base station, and the physical frame query indication message is received by the base station after being transparently transmitted by the man-in-the-middle. The physical frame query indication message includes a determining result, where the determining result indicates whether the physical frame e matches the physical frame f. After determining, based on the physical frame query indication message, that the man-in-the-middle exists, the base station issues a warning or take a preventive measure.
- Therefore, according to the man-in-the-middle detection method in some embodiments, man-in-the-middle detection is performed based on that a physical frame in which the man-in-the-middle sends an uplink message through the false UE is unable to be consistent with a physical frame in which real UE sends the uplink message, to prevent the man-in-the-middle from bypassing detection through a mechanism of the man-in-the-middle and improve a man-in-the-middle detection rate.
- The methods provided in some embodiments are described above in detail with reference to
FIG. 3 toFIG. 7 . The following describes in detail communication apparatuses provided in some embodiments with reference toFIG. 8 andFIG. 12 . -
FIG. 8 is a schematic block diagram of a communication apparatus according to some embodiments. As shown in the figure, the communication apparatus 10 includes atransceiver module 11 and aprocessing module 12. - In a possible design, the communication apparatus 10 corresponds to the base station in the foregoing method embodiments.
- The communication apparatus 10 corresponds to the user equipment in the method 100, the method 200, and the method 300 according to some embodiments. The communication apparatus 10 includes a module configured to perform a method performed by the base station in the method 100 in
FIG. 3 , the method 200 inFIG. 4 , or the method 300 inFIG. 5 . In addition, units in the communication apparatus 10 and the foregoing other operations and/or functions are separately intended to implement corresponding procedures of the method 100 inFIG. 3 , the method 200 inFIG. 4 , or the method 300 inFIG. 5 . - In response to the communication apparatus 10 being configured to perform the method 100 in
FIG. 3 , thetransceiver module 11 is configured to perform step S110 and step S120 in the method 100, and theprocessing module 12 is configured to perform step S130 in the method 100. - In response to the communication apparatus 10 being configured to perform the method 200 in
FIG. 4 , thetransceiver module 11 is configured to perform step S240, step S250, and step S260 in the method 200. - In response to the communication apparatus 10 being configured to perform the method 300 in
FIG. 5 , thetransceiver module 11 is configured to perform step S340, step S350, and step S380 in the method 300, and theprocessing module 12 is configured to perform step S360 and S390 in the method 300. - The
transceiver module 11 is configured to receive, in a first physical frame, a first radio resource control RRC message from user equipment UE. The transceiver module is further configured to receive a second RRC message from the UE, where the second RRC message includes frame information of a second physical frame, and security protection is performed on the first RRC message and the second RRC message by using an access stratum AS security context established by the UE and a base station. The processing module is configured to determine whether the first physical frame matches the second physical frame. - Optionally, the
processing module 12 is configured to: in response to a frame number of the first physical frame being the same as a frame number of the second physical frame and a subframe number of the first physical frame is the same as a subframe number of the second physical frame, determine, by the base station, that the first physical frame matches the second physical frame; otherwise, determine, by the base station, that the first physical frame does not match the second physical frame. - Optionally, the
processing module 12 is further configured to store frame information of a third physical frame. - Optionally, the
processing module 12 is further configured to establish the AS security context with the UE. - Optionally, the
transceiver module 11 is further configured to send indication information to the UE, where the indication information indicates the UE to send a fourth RRC message to the base station. -
FIG. 9 is a schematic block diagram of a communication apparatus according to some embodiments. As shown in the figure, the communication apparatus 20 includes atransceiver module 21 and aprocessing module 22. - In a possible design, the communication apparatus 20 corresponds to the user equipment UE in the foregoing method embodiments or a chip disposed in the UE.
- The communication apparatus 20 corresponds to the base station in the method 100, the method 200, and the method 300 according to some embodiments. The communication apparatus 20 includes a module configured to perform a method performed by the user equipment in the method 100 in
FIG. 3 , the method 200 inFIG. 4 , or the method 300 inFIG. 5 . In addition, units in the communication apparatus 20 and the foregoing other operations and/or functions are separately intended to implement corresponding procedures of the method 100 inFIG. 3 , the method 200 inFIG. 4 , or the method 300 inFIG. 5 . - In response to the communication apparatus 20 being configured to perform the method 100 in
FIG. 3 , thetransceiver module 11 is configured to perform step S110 and step S120 in the method 100. - In response to the communication apparatus 20 being configured to perform the method 200 in
FIG. 4 , thetransceiver module 11 is configured to perform step S210, step S220, and step S230 in the method 200. - In response to the communication apparatus 20 being configured to perform the method 300 in
FIG. 5 , thetransceiver module 11 is configured to perform step S320, step S330, and step S370 in the method 300. - The
transceiver module 21 is configured to send, in a second physical frame, a first radio resource control RRC message to a base station. The transceiver module is further configured to send a second RRC message to the base station, where the second RRC message includes frame information of the second physical frame, and security protection is performed on the first RRC message and the second RRC message by using an access stratum AS security context established by UE and the base station. - Optionally, the
transceiver module 21 is further configured to receive downlink control information DCI, where the DCI is used to determine the frame information of the second physical frame. - Optionally, the
processing module 22 is configured to store the frame information of the second physical frame. - Optionally, the
processing module 22 is further configured to access the base station and establish the AS security context with the base station. - Optionally, the
transceiver module 21 is configured to: in response to a preset rule being met, send, by the UE in the second physical frame, the first RRC message to the base station. - Optionally, the
processing module 22 is further configured to receive indication information sent by the base station, where the indication information indicates the UE to enable man-in-the-middle detection, or determine that user plane integrity protection the base station is not enabled. -
FIG. 10 is a schematic block diagram of a communication apparatus according to some embodiments. As shown in the figure, the communication apparatus 30 includes atransceiver module 31 and aprocessing module 32. - In a possible design, the communication apparatus 30 corresponds to the user equipment UE in the foregoing method embodiments.
- The communication apparatus 30 corresponds to the base station in the method 400 and the method 500 according to some embodiments. The communication apparatus 30 includes a module configured to perform a method performed by the UE in the method 400 in
FIG. 6 or the method 500 inFIG. 7 . In addition, units in the communication apparatus 30 and the foregoing other operations and/or functions are separately intended to implement corresponding procedures of the method 400 inFIG. 6 or the method 500 inFIG. 7 . - In response to the communication apparatus 30 being configured to perform the method 400 in
FIG. 6 , thetransceiver module 41 is configured to perform step S410 and step S420 in the method 400, and theprocessing module 42 is configured to perform step S430 in the method 400. - In response to the communication apparatus 30 being configured to perform the method 500 in
FIG. 7 , thetransceiver module 41 is configured to perform step S520, step S530, step S570, step S590 in the method 500, and theprocessing module 42 is configured to perform step S580 in the method 500. - The
transceiver module 31 is configured to send, in a third physical frame, a third radio resource control RRC message to a base station. The transceiver module is further configured to receive a fourth RRC message from the base station, where the fourth RRC message includes frame information of a fourth physical frame. The transceiver module is further configured to send a fifth RRC message to the base station, where the fifth RRC message indicates whether the third physical frame matches the fourth physical frame, and security protection is performed on the third RRC message, the fourth RRC message, and the fifth RRC message by using an access stratum AS security context established by UE and the base station. - Optionally, the
processing module 32 is configured to: in response to a frame number of the third physical frame being the same as a frame number of the fourth physical frame and a subframe number of the third physical frame is the same as a subframe number of the fourth physical frame, determine, by the UE, that the third physical frame matches the fourth physical frame; otherwise, determine, by the UE, that the third physical frame does not match the fourth physical frame. - Optionally, the
transceiver module 31 is further configured to receive downlink control information DCI, where the DCI is used to determine frame information of the third physical frame, and the frame information of the third physical frame includes the frame number and the subframe number of the third physical frame. - Optionally, the
processing module 32 is further configured to store the frame information of the third physical frame. - Optionally, the
processing module 32 is further configured to access the base station and establish the AS security context with the base station. -
FIG. 11 is a schematic block diagram of a communication apparatus according to some embodiments. As shown in the figure, the communication apparatus 30 includes atransceiver module 41 and aprocessing module 42. - In a possible design, the communication apparatus 40 corresponds to the base station in the foregoing method embodiments.
- The communication apparatus 40 corresponds to the base station in the method 400 and the method 500 according to some embodiments. The communication apparatus 40 includes a module configured to perform a method performed by the base station in the method 400 in
FIG. 6 or the method 500 inFIG. 7 . In addition, units in the communication apparatus 30 and the foregoing other operations and/or functions are separately intended to implement corresponding procedures of the method 400 inFIG. 6 or the method 500 inFIG. 7 . - In response to the communication apparatus 40 being configured to perform the method 400 in
FIG. 6 , thetransceiver module 41 is configured to perform step S410, step S420, and step S440 in the method 400. - In response to the communication apparatus 40 being configured to perform the method 500 in
FIG. 7 , thetransceiver module 41 is configured to perform step S540, step S550, step S560, step S590 in the method 500, and theprocessing module 42 is configured to perform step S510 in the method 500. - The
transceiver module 41 is configured to receive, in a fourth physical frame, a third RRC message from user equipment UE. The transceiver module is further configured to send a fourth RRC message to the UE, where the fourth RRC message includes frame information of the fourth physical frame. The transceiver module is further configured to receive a fifth RRC message sent by the UE. The processing module is configured to determine, based on the fifth RRC message, whether a man-in-the-middle exists between a base station and the UE. - Optionally, the
processing module 42 is configured to: in response to a third physical frame not matching the fourth physical frame, determine that the man-in-the-middle exists between the base station and the UE; or in response to the third physical frame matching the fourth physical frame, determine that no man-in-the-middle exists between the base station and the UE. - Optionally, the
processing module 42 is further configured to establish an AS security context with the UE. - Optionally, the
transceiver module 41 is further configured to send indication information to the UE, where the indication information indicates the UE to enable man-in-the-middle detection. - According to the foregoing methods,
FIG. 12 is a schematic diagram of acommunication apparatus 50 according to some embodiments. As shown inFIG. 12 , theapparatus 50 is a device that detects a man-in-the-middle and includes various handheld devices, in-vehicle devices, wearable devices, calculating devices that have a wireless communication function, or other processing devices connected to a wireless modem, and various forms of terminals, mobile stations (Mobile Stations, MSs), terminals (Terminals), user equipment UEs, soft terminals, and the like. - The
apparatus 50 includes a processor 51 (that is, an example of a processing module) and amemory 52. Thememory 52 is configured to store instructions. Theprocessor 51 is configured to execute the instructions stored in thememory 52, to enable the apparatus 30 to implement a step performed by a network registration device in the method corresponding toFIG. 3 ,FIG. 4 ,FIG. 5 ,FIG. 6 , orFIG. 7 . - Further, the
apparatus 50 further includes an input port 53 (that is, an example of a transceiver module) and an output port 54 (that is, another example of a transceiver module). Further, theprocessor 51, thememory 52, theinput port 53, and theoutput port 54 communicates with each other through an internal connection path, to transmit a control signal and/or a data signal. Thememory 32 is configured to store a computer program. Theprocessor 51 is configured to invoke the computer program from thememory 52 and run the computer program, to control theinput port 53 to receive a signal, and control theoutput port 54 to send a signal, so as to complete a step performed by the terminal device in the foregoing methods. Thememory 52 is integrated into theprocessor 51, or is disposed separately from theprocessor 51. - Optionally, in response to the
communication apparatus 50 being a communication device, theinput port 53 is a receiver, and theoutput port 54 is a transmitter. The receiver and the transmitter is a same physical entity or different physical entities. In response to the receiver and the transmitter being a same physical entity, the receiver and the transmitter is collectively referred to as a transceiver. - Optionally, in response to the
communication apparatus 50 being a chip or a circuit, theinput port 53 is an input interface, and theoutput port 54 is an output interface. - In some embodiments, functions of the
input port 53 and theoutput port 54 are implemented by using a transceiver circuit or a dedicated transceiver chip. In some embodiments, theprocessor 51 is implemented by using a dedicated processing chip, a processing circuit, a processor, or a general-purpose chip. - In some embodiments, the communication device provided in some embodiments is implemented by using a general-purpose computer. Program code for implementing functions of the
processor 51, theinput port 53, and theoutput port 54 is stored in thememory 52. The general-purpose processor implements the functions of theprocessor 51, theinput port 53, and theoutput port 54 by executing the code in thememory 52. - Modules or units in the
communication apparatus 50 is configured to perform actions or processing processes performed by a device (for example, user equipment) for man-in-the-middle detection in the foregoing methods. To avoid repetition, detailed descriptions thereof are omitted herein. - For concepts, explanations, detailed descriptions, and other steps of the
apparatus 50 that are related to the technical solutions provided in some embodiments, refer to the descriptions related to the content in the foregoing methods or another embodiment. Details are not described herein again. - According to the foregoing methods,
FIG. 13 is a schematic diagram of acommunication apparatus 60 according to some embodiments. As shown inFIG. 10 , theapparatus 60 is a man-in-the-middle detection device, and includes a network element having an access management function, for example, an AMF. - The
apparatus 60 includes a processor 61 (that is, an example of a processing module) and amemory 62. Thememory 62 is configured to store instructions. Theprocessor 61 is configured to execute the instructions stored in thememory 62, to enable theapparatus 60 to implement a step performed by a device for man-in-the-middle detection in the method corresponding toFIG. 3 ,FIG. 4 ,FIG. 5 ,FIG. 6 , orFIG. 7 . - Further, the
apparatus 60 further includes an input port 63 (that is, an example of a transceiver module) and an output port 64 (that is, another example of a transceiver module). Further, theprocessor 61, thememory 62, theinput port 63, and theoutput port 64 communicates with each other through an internal connection path, to transmit a control signal and/or a data signal. Thememory 62 is configured to store a computer program. Theprocessor 61 is configured to invoke the computer program from thememory 62 and run the computer program, to control theinput port 63 to receive a signal, and control theoutput port 64 to send a signal, so as to complete a step performed by the terminal device in the foregoing methods. Thememory 62 is integrated into theprocessor 61, or is disposed separately from theprocessor 61. - Optionally, in response to the
communication apparatus 60 being a communication device, theinput port 63 is a receiver, and theoutput port 64 is a transmitter. The receiver and the transmitter is a same physical entity or different physical entities. In response to the receiver and the transmitter being the same physical entity, the receiver and the transmitter is collectively referred to as a transceiver. - Optionally, in response to the
communication apparatus 60 being a chip or a circuit, theinput port 63 is an input interface, and the output port 44 is an output interface. - In some embodiments, functions of the
input port 63 and theoutput port 64 are implemented by using a transceiver circuit or a dedicated transceiver chip. In some embodiments, theprocessor 61 is implemented by using a dedicated processing chip, a processing circuit, a processor, or a general-purpose chip. - In some embodiments, the communication device provided in some embodiments is implemented by using a general-purpose computer. Program code for implementing functions of the
processor 61, theinput port 63, and theoutput port 64 is stored in thememory 62. The general-purpose processor implements the functions of theprocessor 61, theinput port 63, and theoutput port 64 by executing the code in thememory 62. - Modules or units in the
communication apparatus 60 is configured to perform actions or processing processes performed by a network-side device (that is, a network device) during network registration in the foregoing methods. To avoid repetition, detailed descriptions thereof are omitted herein. - For concepts, explanations, detailed descriptions, and other steps of the
apparatus 60 that are related to the technical solutions provided in some embodiments, refer to the descriptions related to the content in the foregoing methods or another embodiment. Details are not described herein again. -
FIG. 14 is a schematic diagram of a structure of a terminal device 500 according to some embodiments. For ease of description,FIG. 14 shows main components of the terminal device. As shown inFIG. 14 , the terminal device 500 includes a processor, a memory, a control circuit, an antenna, and an input/output apparatus. - The processor is mainly configured to process a communication protocol and communication data, control the entire terminal device, execute a software program, and process data of the software program, for example, is configured to support the terminal device in performing actions described in the foregoing embodiments of an indication method for transmitting a precoding matrix. The memory is mainly configured to store a software program and data, for example, store a codebook described in the foregoing embodiments. The control circuit is mainly configured to convert a baseband signal and a radio frequency signal, and process the radio frequency signal. The control circuit and the antenna together further is referred to as a transceiver, and are mainly configured to receive and send a radio frequency signal in a form of an electromagnetic wave. The input/output apparatus, such as a touchscreen, a display, or a keyboard, is mainly configured to receive data entered by a user and output data to the user.
- After the terminal device is powered on, the processor reads a software program in a storage unit, interpret and execute instructions of the software program, and process data of the software program. In response to data being sent wirelessly, the processor performs baseband processing on to-be-sent data, and then outputs a baseband signal to a radio frequency circuit. The radio frequency circuit performs radio frequency processing on the baseband signal, and then sends, through the antenna, a radio frequency signal in a form of an electromagnetic wave. In response to data being sent to the terminal device, the radio frequency circuit receives the radio frequency signal through the antenna, converts the radio frequency signal into a baseband signal, and outputs the baseband signal to the processor. The processor converts the baseband signal into data, and processes the data.
- A person skilled in the art is able to understand that, for ease of description,
FIG. 14 shows one memory and one processor. In an terminal device, there is a plurality of processors and memories. The memory further is referred to as a storage medium, a storage device, or the like. This is not limited in some embodiments. - In an optional implementation, the processor includes a baseband processor and a central processing unit. The baseband processor is mainly configured to process a communication protocol and communication data. The central processing unit is mainly configured to control the entire terminal device, execute a software program, and process data of the software program. The processor in
FIG. 14 integrates functions of the baseband processor and the central processing unit. A person skilled in the art is able to understand that the baseband processor and the central processing unit alternatively is separate processors, and are interconnected by using a technology such as a bus. A person skilled in the art is able to understand that the terminal device includes a plurality of baseband processors to adapt to different network standards. The terminal device includes a plurality of central processing units to enhance a processing capability of the terminal device. Components of the terminal device is connected through various buses. The baseband processor alternatively is expressed as a baseband processing circuit or a baseband processing chip. The central processing unit alternatively is expressed as a central processing circuit or a central processing chip. A function of processing a communication protocol and communication data is built in the processor, or is stored in the storage unit in a form of a software program, and the processor executes the software program to implement a baseband processing function. - As shown in
FIG. 14 , theterminal device 700 includes atransceiver unit 710 and aprocessing unit 720. The transceiver unit further is referred to as a transceiver, a transceiver machine, a transceiver apparatus, or the like. Optionally, a component that is in thetransceiver unit 710 and that is configured to implement a receiving function is considered as a receiving unit, and a component that is in thetransceiver unit 710 and that is configured to implement a sending function is considered as a sending unit. In other words, thetransceiver unit 510 includes a receiving unit and a sending unit. For example, the receiving unit further is referred to as a receiver, a receive machine, or a receiving circuit, and the sending unit further is referred to as a transmitter, a transmit machine, or a transmitting circuit. - The terminal device shown in
FIG. 14 performs actions performed by the user equipment in the foregoing method 100, 200, 300, 400, or 500. To avoid repetition, detailed descriptions thereof are omitted herein. - In some embodiments, in some embodiments, the processor is a central processing unit (central processing unit, CPU), or is another general-purpose processor, a digital signal processor (digital signal processor, DSP), an application-specific integrated circuit (application-specific integrated circuit, ASIC), a field programmable gate array (field programmable gate array, FPGA), or another programmable logic device, discrete gate, transistor logic device, discrete hardware component, or the like. The general-purpose processor is a microprocessor, or the processor is any conventional processor or the like.
- In some embodiments, the memory in some embodiments are a volatile memory or a nonvolatile memory, or includes a volatile memory and a nonvolatile memory. The nonvolatile memory is a read-only memory (Read-only Memory, ROM), a programmable read-only memory (Programmable ROM, PROM), an erasable programmable read-only memory (Erasable PROM, EPROM), an electrically erasable programmable read-only memory (Electrically EPROM, EEPROM), or a flash memory. The volatile memory is a random access memory (Random access memory, RAM), used as an external cache. By way of example, and not limitation, random access memories (Random access memories, RAMs) in many forms are available, for example, a static random-access memory (Static RAM, SRAM), a dynamic random-access memory (DRAM), a synchronous dynamic random access memory (Synchronous DRAM, SDRAM), a double data rate synchronous dynamic random access memory (Double data rate SDRAM, DDR SDRAM), an enhanced synchronous dynamic random access memory (Enhanced SDRAM, ESDRAM), a synchlink dynamic random access memory (Synchlink DRAM, SLDRAM), and a direct rambus random access memory (Direct rambus RAM, DR RAM).
- All or some of the foregoing embodiments are implemented by software, hardware, firmware, or any combination thereof. In response to the software being used to implement the embodiments, the foregoing embodiments are implemented completely or partially in a form of a computer program product. The computer program product includes one or more computer instructions or computer programs. In response to the program instructions or the computer programs being loaded or executed on a computer, procedures or functions according to some embodiments are all or partially generated. The computer is a general-purpose computer, a dedicated computer, a computer network, or another programmable apparatus. The computer instructions are stored in a computer-readable storage medium or is transmitted from a computer-readable storage medium to another computer-readable storage medium. For example, the computer instructions are transmitted from a website, computer, server, or data center to another website, computer, server, or data center in a wired (for example, infrared, radio, or microwave) manner. The computer-readable storage medium is any usable medium accessible by a computer, or a data storage device, such as a server or a data center, integrating one or more usable media. The usable medium is a magnetic medium (for example, a floppy disk, a hard disk, or a magnetic tape), an optical medium (for example, a DVD), or a semiconductor medium. The semiconductor medium is a solid-state drive.
- The term “and/or” in some embodiments describes an association relationship between associated objects and represents that three relationships exists. For example, A and/or B represents the following three cases: A exists, both A and B exist, and B exists. In addition, the character “/” in some embodiments generally represents an “or” relationship between associated objects.
- Sequence numbers of the foregoing processes do not mean execution sequences in various some embodiments. The execution sequences of the processes are determined based on functions and internal logic of the processes. This is unable to be construed as any limitation on the implementation processes of some embodiments.
- A person of ordinary skill in the art is aware that, in combination with the examples described in embodiments disclosed in some embodiments, units and algorithm steps are implemented by electronic hardware or a combination of computer software and electronic hardware. Whether the functions are performed by hardware or software depends on particular applications and design constraint conditions of the technical solutions. A person skilled in the art is able to use different methods to implement the described functions for each particular application, but that the implementation goes beyond the scope of the embodiments is unconsidered. A person skilled in the art that, for the purpose of convenient and brief description, for a detailed working process of the foregoing system, apparatus, and unit, refer to a corresponding process in the foregoing method embodiments. Details are not described herein again. In the several embodiments provided in some embodiments, the disclosed system, apparatus, and method is implemented in other manners. For example, the described apparatus embodiment is an example. For example, division into the units is a logical function division and is another division during implementation. For example, a plurality of units or components are combined or integrated into another system, or some features are ignored or not performed. In addition, a displayed or discussed mutual coupling or direct coupling or communication connection is implemented through some interfaces. An indirect coupling or communication connection between apparatuses or units are implemented in electronic, mechanical, or other forms.
- The units described as separate components are or are not be physically separate, and components displayed as units are or are not be physical units, that is, is located at one position, or is distributed on a plurality of network units. Some or all of the units are selected based on an condition to achieve an objective of the solutions of the embodiments. In addition, functional units in some embodiments are integrated into one processing unit, each of the units exists alone physically, or two or more units are integrated into one unit. In response to the functions being implemented in a form of a software functional unit and sold or used as an independent product, the functions are stored in a computer-readable storage medium. Based on such an understanding, the technical solutions of this application, or a part contributing to the conventional technology, or some of the technical solutions are embodied in a form of a software product. The computer software product is stored in a storage medium, and includes several instructions for enabling a computer device (which is a personal computer, a server, a network device, or the like) to perform all or some of the steps of the methods described in some embodiments. The foregoing storage medium includes any medium that stores a program code, such as a USB flash drive, a removable hard disk, a read-only memory (Read-Only Memory, ROM), a random access memory (Random Access Memory, RAM), a magnetic disk, or an optical disc.
- The foregoing descriptions are implementations of the embodiments, but are unintended to limit the protection scope of the embodiments. Any variation or replacement readily figured out by a person skilled in the art within the technical scope disclosed in the embodiments fall within the protection scope of the embodiments. Therefore, the protection scope of the embodiments are subject to the protection scope of the claims.
Claims (20)
1. A man-in-the-middle detection method, comprising:
receiving, by a communication apparatus in a first physical frame, a first radio resource control (RRC) message from user equipment (UE);
receiving, by the communication apparatus, a second RRC message from the UE, wherein the second RRC message includes frame information of a second physical frame, and security protection is performed on the first RRC message and the second RRC message through an access stratum (AS) security context established by the UE and the communication apparatus; and
determining, by the communication apparatus, whether the first physical frame matches the second physical frame.
2. The method according to claim 1 , wherein:
the frame information of the second physical frame includes a frame number and a subframe number of the second physical frame.
3. The method according to claim 2 , wherein the determining-whether the first physical frame matches the second physical frame comprises:
in response to a frame number of the first physical frame being the same as the frame number of the second physical frame and a subframe number of the first physical frame being the same as the subframe number of the second physical frame, determining, by the communication apparatus, that the first physical frame matches the second physical frame; otherwise,
determining, by the communication apparatus, that the first physical frame does not match the second physical frame.
4. The method according to claim 1 , further comprising:
in response to the receiving, in the first physical frame, the first RRC message from the UE,
storing, by the communication apparatus, frame information of the first physical frame.
5. The method according to claim 1 , further comprising:
prior to the receiving, in the first physical frame, the first RRC message from the UE,
establishing, by the communication apparatus, the AS security context with the UE.
6. The method according to claim 1 , further comprising:
prior to the receiving, in the first physical frame, the first RRC message from the UE, sending, by the communication apparatus, indication information to the UE, wherein the indication information indicates the UE is to enable man-in-the-middle detection.
7. A man-in-the-middle detection method, comprising:
sending, by communication apparatus in a second physical frame, a first radio resource control (RRC) message to a base station; and
sending, by the communication apparatus, a second RRC message to the base station, wherein the second RRC message includes frame information of the second physical frame, and security protection is performed on the first RRC message and the second RRC message through an access stratum (AS) security context established by the communication apparatus and the base station.
8. The method according to claim 7 , wherein:
the frame information of the second physical frame includes a frame number and a subframe number of the second physical frame.
9. The method according to claim 7 , further comprising:
prior to the sending, in the second physical frame, the first RRC message to the base station,
receiving, by the communication apparatus, downlink control information (DCI), wherein the DCI is usable to determine the frame information of the second physical frame; and
storing, by the communication apparatus, the frame information of the second physical frame.
10. The method according to claim 7 , further comprising:
prior to the sending, in the second physical frame, the first RRC message to the base station,
accessing, by the communication apparatus, the base station, and establishing the AS security context with the base station.
11. The method according to claim 7 , wherein:
the sending, in the second physical frame, the first RRC message to the base station comprises:
in response to a preset rule being met, sending, by the communication apparatus in the second physical frame, the first RRC message to the base station.
12. The method according to claim 11 , wherein:
the preset rule includes:
receiving, by the communication apparatus, indication information sent by the base station, wherein the indication information indicates the communication apparatus is to enable man-in-the-middle detection; or
determining, by the communication apparatus, that user plane integrity protection between the communication apparatus and the base station is not enabled.
13. A communication apparatus, wherein the apparatus comprises:
a processor;
a memory operably connected to the processor, that is configured to execute a computer program stored in the memory to enable the communication apparatus to:
send, in a second physical frame, a first radio resource control (RRC) message to a base station; and
send a second RRC message to the base station, wherein the second RRC message includes frame information of the second physical frame, and security protection is performed on the first RRC message and the second RRC message through an access stratum (AS) security context established by the communication apparatus and the base station.
14. The communication apparatus according to claim 13 , wherein:
the frame information of the second physical frame includes a frame number and a subframe number of the second physical frame.
15. The communication apparatus according to claim 13 , wherein the processor is configured to execute the computer program to enable the communication apparatus to
receive downlink control information (DCI), wherein the DCI is used to determine the frame information of the second physical frame; and
storing the frame information of the second physical frame.
16. The communication apparatus according to claim 13 , wherein the processor is configured to execute the computer program to enable the communication apparatus to:
access the base station; and
establish the AS security context with the base station.
17. The communication apparatus according to claim 13 , wherein:
the sending, in the second physical frame, the first radio resource control RRC message to the base station comprises:
in response to a preset rule being met, sending, in the second physical frame, the first RRC message to the base station.
18. The communication apparatus according to claim 17 , wherein:
the preset rule includes:
receive indication information sent by the base station, wherein the indication information indicates the communication apparatus is to enable man-in-the-middle detection; or
determine that user plane integrity protection between the communication apparatus and the base station is not enabled.
19. A communication apparatus, comprises:
a processor,
a memory operably connected to the processor, the processor configured to execute a computer program stored in the memory to enable the communication apparatus to:
send in a first physical frame, a first radio resource control (RRC) message to a base station; and
send a second RRC message to the base station, wherein the second RRC message includes frame information of a second physical frame, and security protection is performed on the first RRC message and the second RRC message through an access stratum (AS) security context established by the communication apparatus and the base station.
20. The communication apparatus according to claim 19 , wherein the processor is configured to execute the computer program to enable the communication apparatus to:
receive downlink control information (DCI), wherein the DCI is used to determine the frame information of the second physical frame; and
store the frame information of the second physical frame.
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
PCT/CN2020/124992 WO2022087995A1 (en) | 2020-10-29 | 2020-10-29 | Man-in-the middle detection method and device |
Related Parent Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2020/124992 Continuation WO2022087995A1 (en) | 2020-10-29 | 2020-10-29 | Man-in-the middle detection method and device |
Publications (1)
Publication Number | Publication Date |
---|---|
US20240080669A1 true US20240080669A1 (en) | 2024-03-07 |
Family
ID=81381755
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US18/308,072 Pending US20240080669A1 (en) | 2020-10-29 | 2023-04-27 | Man-in-the-middle detection method and apparatus |
Country Status (4)
Country | Link |
---|---|
US (1) | US20240080669A1 (en) |
EP (1) | EP4228202A4 (en) |
CN (1) | CN116325657A (en) |
WO (1) | WO2022087995A1 (en) |
Family Cites Families (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102223632B (en) * | 2010-04-15 | 2015-12-16 | 中兴通讯股份有限公司 | A kind of Access Layer security algorithm synchronous method and system |
CN110545253B (en) * | 2018-05-29 | 2022-03-29 | 大唐移动通信设备有限公司 | Information processing method, device, equipment and computer readable storage medium |
US11070981B2 (en) * | 2019-01-18 | 2021-07-20 | Qualcomm Incorporated | Information protection to detect fake base stations |
-
2020
- 2020-10-29 CN CN202080106462.5A patent/CN116325657A/en active Pending
- 2020-10-29 WO PCT/CN2020/124992 patent/WO2022087995A1/en unknown
- 2020-10-29 EP EP20959157.7A patent/EP4228202A4/en active Pending
-
2023
- 2023-04-27 US US18/308,072 patent/US20240080669A1/en active Pending
Also Published As
Publication number | Publication date |
---|---|
CN116325657A (en) | 2023-06-23 |
WO2022087995A1 (en) | 2022-05-05 |
EP4228202A1 (en) | 2023-08-16 |
EP4228202A4 (en) | 2023-11-29 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
EP3917213A1 (en) | Information transmission method and device | |
US11477709B2 (en) | Failure processing method, handover method, terminal device, and network device | |
EP3661090B1 (en) | Command instruction method and device, and information interaction method and device | |
WO2020199942A1 (en) | Communication method, communication apparatus, and system | |
CN114449043B (en) | Communication method and communication device | |
US10764936B2 (en) | Data transmission method based on non-access stratum messages, base station, and user equipment | |
CN113543274B (en) | Network access method and device | |
US20230010109A1 (en) | Communication method and apparatus | |
US20220014901A1 (en) | Method and apparatus for identifying user equipment capability in sidelink transmission | |
US11412571B2 (en) | Communication method and communications apparatus to deliver first data to an upper layer | |
WO2021062730A1 (en) | Wireless communication method and device | |
EP4099761A1 (en) | Re-establishment method and communication apparatus | |
WO2021022991A1 (en) | Method for communication and device | |
US20230086410A1 (en) | Communication method and communication apparatus | |
US20230012998A1 (en) | Communication method, access network device, terminal device, and core network device | |
WO2020211778A1 (en) | Cell handover method and apparatus | |
US20230217327A1 (en) | Communication method, device, and apparatus | |
WO2021027660A1 (en) | Radio communication method and communication apparatus | |
US20240080669A1 (en) | Man-in-the-middle detection method and apparatus | |
WO2022237575A1 (en) | Measurement configuration method and apparatus | |
US11051171B2 (en) | Communication method, related device, and system | |
EP4369824A1 (en) | Carrier configuration method and communication apparatus | |
US20240179524A1 (en) | Security context update method and communication apparatus | |
EP4216633A1 (en) | Communication method and communication apparatus | |
WO2023185756A9 (en) | Information transmission methods and apparatus, terminal and network-side device |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
STPP | Information on status: patent application and granting procedure in general |
Free format text: DOCKETED NEW CASE - READY FOR EXAMINATION |